Jump to content

Search the Community

Showing results for tags 'firefox'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 367 results

  1. Firefox add-on DownThemAll makes a comeback Several add-on developers criticized Mozilla in 2015 when the maker of Firefox revealed that it would drop the classic Firefox add-ons system to replace it with a new system based on WebExtensions. That switch happened with the release of Firefox 57 in 2017. One of the developers was Nils Maier who maintained the popular download add-on DownThemAll. We reviewed DownThemAll in 2013 for the first time and found it to be an excellent extension to mass-download items on websites. The extension would parse webpages to display links, pictures and media, and other download options to the user when run. Firefox users could use it to download all images, archives, audio files, or any other type of file from sites with a simple operation. Maier criticized Mozilla for making the switch when WebExtensions API were not mature enough or even available; an extension like DownThemAll would be severely feature-limited and the decision was made not to port the extension. Extensions like Download Star were created in the meantime that supported some of the functionality of DownThemAll but they too are limited by WebExtension APIs. The developer published the source code of the WebExtensions version of DownThemAll on GitHub recently stating that the release of a beta version is just around the corner. The WebExtensions version is a complete rewrite of the extension. The developer notes that the extension will lack features that the original DownThemAll extension supported because of WebExtension limitations. Additionally, some bugs that got corrected in the legacy version will return in the WebExtensions version as there is no way to deal with them at the time. What this furthermore means is that some bugs we fixed in the original DownThemAll! are back, as we cannot do our own downloads any longer but have to go through the browser download manager always, which is notoriously bad at handling certain "quirks" real web servers in the wild show. It doesn't even handle regular 404 errors. The To-Do list, sorted into priorities, highlights upcoming features and features that cannot be implemented because of limitations. Chrome support is planned, as is localization support, support for drag and drop operations, importing and exporting, or download priorities. Features that most likely won't be implemented due to limitations include segmented downloads, file conflict management, speed limiting, download referrer sending, request manipulations, checksum or mirror support. The WebExtensions version supports selecting and downloading multiple files from webpages using filters and other tools to aid in the process. What we can do and did do is bring the mass selection, organizing (renaming masks, etc) and queueing tools of DownThemAll! over to the WebExtension, so you can easily queue up hundreds or thousands files at once without the downloads going up in flames because the browser tried to download them all at once. Closing Words The WebExtension version of DownThemAll supports the core functionality of the legacy version for the most part but will lack lots of features that made DownThemAll one of the most popular Firefox add-ons. Fans and long-time users of the add-on will give it a try probably regardless of that. Source: Firefox add-on DownThemAll makes a comeback (gHacks - Martin Brinkmann)
  2. Enhancer for YouTube is an add-on for Firefox and Chrome which offers a ton of customization There are a lot of quirks in YouTube, but we have plenty of workarounds for most issues. Most of these are possible thanks to add-ons. Today, we take a look at Enhancer for YouTube. It is an add-on for Firefox and Chrome, that can change the way you experience the streaming service. The extension adds a ton of features including better playback controls, removal of advertisement, and an option to detach and pin the player. Tip: Check out our guide on fixing choppy video playback on YouTube. Enhancer for YouTube When you install the add-on, a settings page (and a help page?) should open. You can always access the settings from the toolbar icon. It has a ton of options and we'll discuss the most important ones here. Enhancer for YouTube displays a toolbar on every YouTube page, and it has some buttons which let you control the video player. You can use the add-on's settings page to enable/disable the buttons which appear on the toolbar. The Remove ads button disables advertisements from the videos. If you're using Ublock Origin or another content blocker, just ignore this setting as ads are taken care of already. If you wish to support your favorite channel you can whitelist them so that ads are displayed if the channel uses YouTube's monetization options. The film reel icon is for enabling the cinema mode while the arrows icon is for resizing the video player. Detach Video Player This is one of the best features in Enhancer. The "detach video player" option (icon with the 2 squares) opens the video player in a separate window. You can scroll pages while watching the video in the pop-up player, but, if you click inside any window, the pop-up player shifts to the background. If you want to pin it, i.e. stay on top on other Windows (including another Firefox Window), you will need to use a third-party app, AutoHotKey, to execute a script. This is not the add-on's fault, but because of limitations for extensions. The pinned player's size and position can be customized as well. (Firefox users, refer to the closing words section for a better option.) Volume Booster This option is disabled by default because using this disables another feature (controlling the playback speed). But the volume booster can be priceless when you're watching a video that has low audio levels or when you are used to changing the volume using the mouse wheel. Themes Enhancer has many built-in themes to choose from which changes the appearance of the YouTube website. You can also use custom CSS themes: just paste the script in the add-on. The video player can also be themed but it only works in Cinema mode. To do so just pick a colour from the palette and set the opacity. Automatic video settings You can set the default playback, volume and resolution that videos should play on YouTube. In fact, you can even set your second, third and fourth choice of resolution and the extension picks the first that is available based on your priority. The add-on can optionally remove all annotations from a video. You can set the add-on to enable Theater mode, expand video descriptions, and sort comments from recent ones from the settings page. These settings are all automated once set; there is nothing that you need to do after you enable them in the settings of the extension. Custom Scripts The add-on supports custom Javascripts that you want to be executed when YouTube is loaded; this is an advanced feature of the extension and probably only useful to a handful of users who want to add or change functionality on YouTube even more. Other options Loop mode can be enabled to replay the same video endlessly. Useful, if you have an ear worm (the musical kind, obviously). You can use Enhancer for YouTube to set the following filters: Gaussian blur, Brightness, Blur, Contrast, Grayscale, Hue rotation, colour inversion, Saturation and Sepia. Tip: To access the filters, you need to right-click on the filters button. Keyboard Shortcuts and Mouse wheel You can hit Space to Play/Pause the video while the tab / video player is active. Use the Up/Down arrow keys to increase/decrease the volume, and the left/right arrow keys or "J" and "I" to rewind/fast-forward. The official support portal lists all the shortcuts (there are far too many to list here) that work with Enhancer. To change a video's speed, hold the control key while using the mouse wheel. You can play it at 0.1x speed and over 100x. The audio controls aren't enabled be default. So, you need to check the "Control the volume level with the mouse wheel......" option to change the volume quickly using the mouse wheel. Closing words Enhancer is really good, and feels like it has the features that YouTube should've had by default. Mozilla is working on a built-in option for Picture-in-Picture support for videos. It was originally planned to be included in Firefox 68, but a Mozilla engineer has confirmed that it will remain in Beta/Developer Editions and Nightly for the foreseeable future. You can manually enable it from about:config. How to enable Picture in Picture mode in Firefox If you're on Firefox 68 or above, you can search for the following keys and set them to true: media.videocontrols.picture-in-picture.enabled media.videocontrols.picture-in-picture.video-toggle.enabled media.videocontrols.picture-in-picture.video-toggle.flyout-enabled Firefox's PiP mode works on other sites too, like Twitch for example. Tip: you can check out other YouTube add-ons that enhance your experience. Check out the review of Iridium as a start. Source: Enhancer for YouTube is an add-on for Firefox and Chrome which offers a ton of customization (gHacks)
  3. Tab Session Manager is an add-on for Firefox and Chrome that saves your windows and tabs Firefox may be configured to restore the browsing session using its Session Manager. The feature works well for some but not for all users; those who experienced Session Manager issues in the past may have switched to a third-party session manager solution to avoid further complications. Mozilla revealed plans recently to improve the native session management functionality of the Firefox browser. Mozilla changed the add-on system that Firefox supports in Firefox 57; Session Managers need to use the WebExtension API which limits what the extensions may offer. One add-on which I have been relying on for saving my tabs is Tab Session Manager. It isn't new, and some of you may already be using it. For the rest, let me walk you through its core feature set. Tab Session Manager The add-on saves your sessions automatically from time to time so you don't lose your tabs. When you install it, you will see a new floppy disk icon on the toolbar; this is how you access Tab Session Manager. Click on the icon and a pop-up menu appears with all your recent browsing sessions saved. Every session has the following details: the name of the last active tab, the total number of tabs, along with the date and time when the session was saved. You have 2 in-line options next to each saved session: Open and Delete. Clicking Open will start a new tab and load the entire list of tabs that were saved. Delete, as the name suggests, erases the corresponding session. You can configure the Settings to change the way the Open button works, i.e., to load in the current window (replaces current tabs) or add to current window. Alternatively you can use the three-dot menu next to each session and choose how to load it. The search bar can be used to quickly find a session if you remember which tab was open, for e.g. type gHacks and it will display the sessions which had the blog opened in the final tab. Other options in the interface include sorting the list of sessions and viewing sessions based on some conditions (browser exited, auto-saved, regularly saved). You can manually save your session from the pop-up menu at anytime. The plus button can be used to add a tag to a session to improve identification. Clicking the gear cog icon takes you to the Tab Session Manager settings page. You can customize the add-on quite a bit. Options that are available here include Tab lazy loading, the saving of private windows, an option to restore window positions. The add-on supports the tree state of Tree Style Tab, if you're using it. (I do, but don't use this option). You can define the auto-save settings of Tab Session Manager. By default, it saves the session once every 15 minutes and stores a maximum of 10 sessions. There is a backup option in the add-on which saves the sessions when you start Firefox and stores it in the download folder. This option is not enabled by default and you need to enable it in the options. You can also manually export your sessions to your computer to save sessions in the JSON format. Similarly, you can import previous sessions that you saved locally. In addition to this, you can import a list of URLs (like in OneTab) to create a session. Closing Words Tab Session Manager is an open source project, and the extension is also available for Chrome. The Firefox add-on is compatible with the Chrome extension, i.e., you can restore the session from one browser, in the other. You can also try Session Boss, which is quite similar to Tab Session Manager. I use Tab Session Manager along with OneTab, which I use to export all URLs to a text document. While I haven't lost a session in a while, the last time it happened was when I shared an article on social media. The pop-up window which usually closes after sharing the link, somehow stayed on in the background, and I didn't notice it when closing my main browser window. It had about 3-4 dozen tabs and, yeah I lost those with no option to recover them. I think that's probably when I started using OneTab, and later added Tab Session Manager to the mix. I still miss Michael Kraft's Session Manager and Tab Mix Plus. Source: Tab Session Manager is an add-on for Firefox and Chrome that saves your windows and tabs (gHacks)
  4. Mozilla revamps Firefox's HTTPS address bar information Mozilla plans to make changes to the information that the organization's Firefox browser displays in its address bar when it connects to sites. Firefox displays an i-icon and a lock symbol currently when connecting to sites. The i-icon displays information about the security of the connection, content blocking, and permissions, the lock icon indicates the security state of the connection visually. A green lock indicates a secure connection and if a site has an Extended Validation certificate, the name of the company is displayed in the address bar as well. Mozilla plans to make changes to the information that is displayed in the browser's address bar that all Firefox users need to be aware of. One of the core changes removes the i-icon from the Firefox address bar, another the Extended Validation certificate name, a third displays a crossed out lock icon for all HTTP sites, and a fourth changes the colour of the lock for HTTPS sites from green to gray. Why are browser makers making these changes? Most Internet traffic happens over HTTPS; latest Firefox statistics show that more than 79% of global pageloads happen using HTTPS and that it is already at more than 87% for users in the United States. The shield icon was introduced to indicate to users that the connection to the site uses HTTPS and to give users options to look up certificate information. It made sense to indicate that to users back when only a fraction of sites used HTTPS. With more and more connections using HTTPS, browser makers like Mozilla or Google decided that it was time to evaluate what is displayed to users in the address bar. Google revealed plans in 2018 to remove Secure and HTTPS indicators from the Chrome browser; Chrome 76, released in August 2019, does not display HTTPS or WWW anymore in the address bar by default. Mozilla launched changes in Firefox in 2018, hidden behind a flag, to add a new "not secure" indicator to HTTP sites in Firefox. Google and Mozilla plan to remove information that indicate that a site's connection is secure. It makes some sense, if you think about it, considering that most connections are secure on today's Internet. Instead of highlighting that a connection is secure, browsers will highlight if a connection is not secure instead. The changes are not without controversy though. For more than two decades, Internet users were told that they needed to verify the security of sites by looking at the lock symbol in the browser's address bar. Mozilla does not remove the lock icon entirely in Firefox 70 and the organization won't touch the protocol in the address bar either at this point; that is better than what Google has already implemented in recent versions of Chrome. The following changes will land in Firefox 70: Firefox won't display the i-icon anymore in the address bar. Firefox won't display the owner of Extended Verification certificates anymore in the address bar. A shield icon is displayed that lists protection information. The lock icon is still displayed, it displays certificate and permission information and controls. HTTPS sites feature a gray lock icon. All sites that use HTTP will be shown with a crossed out shield icon (previously only HTTP sites with login forms). Mozilla aims to launch these changes in Firefox 70. The browser is scheduled for a release on October 23, 2019. Firefox users may add a "not secure" indicator to the browser's address bar. Mozilla, just like Google, plans to display it for sites that use HTTP. The additional indicator needs to be enabled separately at the time of writing, it won't launch in Firefox 70. Load about:config in the Firefox address bar. Search for security.identityblock.show_extended_validation. Set the preference to TRUE to display the name of the owner of Extended Validation certificates in Firefox's address bar, or set it to FALSE to hide it. The new gray icon for HTTPS sites can be toggled as well in the advanced configuration: On about:config, search for security.secure_connection_icon_colour_gray Set the value to TRUE to display a gray icon for HTTPS sites, or set it to FALSE to return to the status quo. Source: Mozilla revamps Firefox's HTTPS address bar information (gHacks - Martin Brinkmann)
  5. Goodbye Firefox Quantum, Hello Firefox Browser The Firefox web browser has had a few names since the release of the first experimental build back in 2002. First known as Phoenix, a name Mozilla had to drop because of a trademark dispute with Phoenix Technologies, and then known as Firebird, another name that Mozilla decided to drop because of the database server Firebird, Firefox was the third and final name of the web browser for a long time. The release of Firefox 57 brought another change to the name; better, an addendum to the name as Mozilla called the browser Firefox Quantum with that release. The name Quantum was selected because it was an effort to push new technologies in the browser to improve all aspects of Firefox and reverse the downwards trend user-wise. Firefox users who open the About page of the web browser right now will notice that Firefox Quantum is still used as the name of the browser. Starting with Firefox 70, another name is displayed when users open the About page. The new name is Firefox Browser. The stable version will just display Firefox Browser whereas development versions will add the channel name underneath it, e.g. Nightly or Developer. Firefox Nightly displays the new name of the browser already on the about page. Firefox users may notice that the logo changed as well. Mozilla selected a new logo for the Firefox browser and that new logo will be shown on the about page, on Mozilla's website, and other places. Why Firefox Browser and not Firefox Quantum or just Firefox? It was clear from the get-go that Firefox Quantum was just a temporary name to highlight the major changes in the new versions of the browser. Plain Firefox would not make much sense anymore either because of other projects that carry the Firefox brand. Mozilla launched plenty including Firefox Monitor, Firefox Send or Firefox Lockwise in recent years and plans to launch even more, e.g. Firefox Proxy, in the future. To better distinguish the browser, Mozilla had to add something to the Firefox name; browser is the obvious choice and Mozilla decided to select it for the name. Mozilla plans to roll out the changes when Firefox Stable hits version 70; Mozilla aims for a October 23, 2019 release according to the release schedule. Closing Words Firefox Browser is without doubt a better name than Firefox Quantum as it describes exactly what Firefox is. It does not come as a surprise that Mozilla picked Firefox as the name for all the products that it creates and not Mozilla as the brand awareness is much higher. Source: Goodbye Firefox Quantum, Hello Firefox Browser (gHacks - Martin Brinkmann)
  6. Mozilla launches Site Compatibility Tools for Firefox Site Compatibility Tools is a new extension for the Firefox web browser by Mozilla designed to find and report site compatibility issues experienced in Firefox. If you take Internet Explorer and the old Microsoft Edge out of the picture, as they are not the focus of development anymore, you are left with Firefox and Safari when it comes to browsers with a sizeable user base that are not based on Chromium. With Chrome's huge market share on the desktop, it is becoming a trend seemingly that certain websites or services don't work well in Firefox or not at all. Google plays a role here certainly, as it is not uncommon to find the company block browsers from accessing updated products or services, or even new ones, at least for a period of time. A few examples: the new Google Earth release of 2017 was Chrome exclusive, the new Chromium-based Microsoft Edge was blocked from accessing the new YouTube, or accusations that Google made YouTube slower for other browsers deliberately. Mozilla is very aware of the implications; the organization launched several projects and initiatives to tackle the issue from different angles. It launched a Web Compatibility page in Firefox recently that lists changes that Firefox makes to certain sites to get them to display and work properly in the browser. Site Compatibility Tools Site Compatibility Tools is another tool that has just been released. Web developers are the main audience but anyone may download and install the extension. The first version of the extension supports reporting functionality and provides site compatibility news for Firefox versions. Mozilla plans to extend that in the future by integrating a site compatibility checker in the extension. Once launched, it would give webmasters and developers a tool at hand to test websites for compatibility issues directly in Firefox. The extension is compatible with all recent versions of the Firefox web browser. Launch the Developer Tools after installation and switch to the Compatibility tab to display its set of tools. It starts with a list of site compatibility changes in different Firefox versions. The links point to Mozilla's Firefox Compatibility Site and provide further information on the change. The only other feature that is available in the initial release version is the reporter. It displays options to report problems with sites to Mozilla via Twitter (openly or via direct message), GitHub, or by using email. It is a rudimentary feature at the time of writing. Firefox users may report issues to Mozilla using the Web Compatibility reporter as well. It is linked in Nightly but can be accessed directly as well. Closing Words The initial version of the Site Compatibility Tools extension has limited uses; this will change when compatibility checking is integrated into the extension as it may help developers find issues on webpages and sites in an automated process. Source: Mozilla launches Site Compatibility Tools for Firefox (gHacks - Martin Brinkmann)
  7. Restores Twitter's old interface with GoodTwitter, an extension for Firefox and Chrome You may remember my previous article about how to disable Twitter's new design. I had been using those tricks to avoid the new interface until yesterday when Twitter disabled the options for my account. In case you are in the same boat, there's good news. There is an alternative way to get the legacy interface back. Here's how to do it. GoodTwitter GoodTwitter is an extension for Firefox and Chrome which restores Twitter's old interface. It is a new add-on but that is understandable considering that Twitter started to roll out the new design just recently. For those worried about the permissions, it is an open-source project, the source code is available at GitHub. Take a look at the code, and you will see that the method it uses (which I have highlighted) to restore the old Twitter interface. It spoofs the user agent that is sent to Twitter which sees the browser as Internet Explorer. This essentially tricks Twitter to load the website in a design that is compatible with IE which is the old design. Download GoodTwitter from the Firefox add-ons repository, or the Chrome Web Store. That's it, you don't have to do anything else. There are no settings to tinker with. I tested the extension in Microsoft Edge and Mozilla Firefox 68.0.1, and it works fine. Note that some functionality may be limited on the site as Twitter "thinks" the browser that is used is Internet Explorer. Non add-on method Now some of you may not want another add-on to make this work. I hear ya! All you need to do is configure your browser to spoof the user agent for Twitter.com. As far as I can tell, Chrome doesn't have a permanent per-site user agent switch. The only method I know that does not involve the use of an extension is a temporary one, which uses the Developer Tools > Network Conditions > Set User Agent option. You're better off using GoodTwitter instead. If you are using a User Agent Switcher extension which allows site-specific settings, you can copy the user agent string from the method below. Check out extensions such as Chameleon for Firefox or User Agent Switcher for Chrome mentioned here. This trick is exclusive for Firefox users. Open a new tab, and type about:config. Hit enter and select the "I accept the risk" button. You know the drill Right-click anywhere in the tab, and select New > String. Paste the following text in the "Enter the preference name" field, and click ok: general.useragent.override.twitter.com In the "Enter string value" field, paste Mozilla/5.0 (Windows NT 9.0; WOW64; Trident/7.0; rv:11.0) like Gecko and hit ok. Refresh the Twitter tab (might have to do it a few times, try Ctrl + f5). Chrome users may want to check out Google Chrome's powerful override feature. Et voilà! The good old, usable interface is back. And we used the exact same trick that GoodTwitter uses. Source: Restores Twitter's old interface with GoodTwitter, an extension for Firefox and Chrome (gHacks)
  8. Mozilla blames 'interlocking complex systems' and confusion for Firefox's May add-on outage The Firefox browser maker said it's figured out what caused problems with its browser add-ons and offered solutions to keep the issue from happening again. Magdalena Petrova Mozilla has issued multiple after-action reports analyzing the major mix-up in May that crippled most Firefox add-ons. The reports also made recommendations for preventing similar incidents in the future. The fiasco started just after 8 p.m. ET on Friday, May 3, when a certificate used to digitally sign Firefox extensions expired. Because Mozilla had neglected to renew the certificate, Firefox assumed add-ons could not be trusted - that they were potentially malicious - and disabled any already installed. Add-ons could not be added to the browser for the same reason. Mozilla rushed a stop-gap fix to the browser via its Studies system, infrastructure normally responsible for pushing test code to small groups or collecting data on reactions to sponsored content. Because the Studies approach did not reach everyone, on May 5 and May 7 Mozilla shipped two Firefox updates - 66.0.4 and 66.0.5 - that addressed the certificate mess. "The first question that everyone asks is, "How did you let this happen?'" wrote Firefox's CTO Eric Rescorla in a post to a company blog. "At a high level, the story seems simple: we let the certificate expire. This seems like a simple failure of planning." Rescorla disputed that characterization, however. Saying that the situation was "more complicated" than that, he said the responsible team knew the certificate was expiring but assumed that the browser would ignore the expiration date because in an earlier incident certificate checking had been disabled. "This led to confusion about the status of intermediate certificate checking. Moreover, the Firefox QA plan didn't incorporate testing for certificate expiration and therefore the problem wasn't detected. This seems to have been a fundamental oversight in our test plan." Others covered the crisis from different angles in separate postmortems, including an incident report and a technical report. The latter, written by Peter Saint-Andre and Matthew Miller, a principal software engineer and senior staff engineer, respectively, came to a similar conclusion. "This incident was not the fault of any individual or team but was the result of having an interlocking set of complex systems that were not well understood across all the relevant teams," the two wrote. Among the details in the Saint-Andre and Miller report was that Mozilla outsources its QA (quality assurance) testing to Cognizant Softvision, a multi-national firm with offices scattered from India and Ukraine to Romania and the U.S. "The lack of in-house or on-call QA resources caused delays in testing proposed fixes across various platforms because our external teams at Softvision were not immediately available through normal channels," Saint-Andre and Miller said. "In fact, engaging with individual Softvision team members could have introduced legal complications and the potential for data leakage." While Rescorla had spelled out some of Mozilla's failings in a blog post shortly after the add-on outage, he had promised a list of recommended changes for a later missive. His July 12 post and the July 2 report by Saint-Andre and Miller made good on that promise. Among the recommendations: a rapid-response hotfix-delivery mechanism that could push emergency updates to Firefox users. In May, Mozilla quickly created a temporary fix for the desktop versions of Firefox and pushed the patch to the browser using the Studies system. Mozilla turned to Studies to deploy the hotfix as soon as possible, rather than make users wait for a full browser update. Yet some reported that they didn't receive the hotfix or that it had not enabled Firefox's add-ons. If the user had disabled Studies, perhaps for privacy reasons (the mechanism is turned on by default), they would not have gotten the patch, for instance. "The lesson here is that we need a mechanism that allows fast updates that isn't coupled to Telemetry and Studies," contended Rescorla. "The property we want is the ability to quickly deploy updates to any user who has automatic updates enabled. This is something our engineers are already working on." Saint-Andre and Miller echoed Rescorla, but also went into detail discussing the cryptographic signing of Firefox add-ons. "Most fundamentally, the full Firefox team does not have a common understanding of the role, function and operation of cryptographic signatures for Firefox add-ons," they wrote. "Although there are several good reasons for signing add-ons (monitoring add-ons not hosted on AMO, blocklisting malicious add-ons, providing cryptographic assurance by chaining add-ons to the Mozilla root), there is no shared consensus on the fundamental rationale for doing so. In addition, maintaining a full public key infrastructure (PKI) is a complex task and we do not necessarily have a firm grasp of the engineering and business tradeoffs involved." They recommended that more complete documentation be produced so everyone knows how add-on signing works, and assuming that Mozilla is committed to the current add-on signing approach, that improvements be made "to our certificate management processes, especially our key rollover strategies." Mozilla Mozilla's incident report included a detailed timeline of the add-on meltdown, from the certificate expiring to the final fix pushed to Firefox users 21 days later. Some clever wag at Mozilla named the graphic Armagaddon-timeline.prg! Source: Mozilla blames 'interlocking complex systems' and confusion for Firefox's May add-on outage (Computerworld - Gregg Keizer)
  9. Mozilla revealed plans today to remove so-called legacy add-ons from the organization's repository site for extensions Mozilla AMO. Mozilla AMO hosts legacy add-ons and WebExtensions currently; going forward, Mozilla wants to purge legacy add-ons from the site as those are no longer compatible with any supported version of the Firefox web browser. Legacy add-ons is a broad term that refers to extensions, themes, and other content that is no longer supported by recent versions of the Firefox web browser. Mozilla switched from the classic add-ons system for Firefox to a system that is based on WebExtensions with the release of Firefox 57. Currently, Firefox ESR 52.x is the only supported version of the Firefox web browser that supports legacy add-ons. All other Firefox versions that Mozilla supports, be it Stable, Beta, or Nightly, support only WebExtensions. With no supported version of Firefox still supporting legacy add-ons, Mozilla will remove these extensions from the site to streamline it. Third-party browsers based on Firefox code may continue to support Firefox legacy add-ons, and some users of Firefox made the decision to block browser updates to avoid having legacy add-ons disabled automatically by new versions of the browser. The timeline the organization published today is as follows: September 6, 2018 -- Submissions for new legacy add-on versions are disabled. Mozilla does not accept submissions for new add-ons that use legacy add-on systems already. The change affects extension updates. Early October 2018 -- All legacy add-ons are disabled. Disabled means that they won't show up anymore on Mozilla AMO but are still available in the backend. Since the extensions are still listed on AMO, add-on developers may publish updates that transform their legacy add-ons into WebExtensions. The extensions would get published on the add-ons store again when that happens and users who had these installed -- and not removed yet -- will receive the updates so that they can use the extension once again. Attempts are underway to preserve the classic add-ons archive. These projects have about six weeks to create an archive of all legacy add-ons still available on Mozilla AMO to preserve it. Statistics about the purging would be interesting; how many legacy add-ons, separated into extensions and themes, are removed in October 2018, and how many WebExtensions remain in Store. Closing Words The removal of legacy add-ons from Mozilla Add-ons marks an end of an era. While some long standing extensions have been migrated to WebExtensions, lots of extensions were not for a variety of reasons. Some are abandoned, others can't be ported because the provided APIs don't allow certain functionality, and some extension developers may have decided not to port their extensions. Whatever the reason, the removal marks the end of extensions such as Classic Theme Restorer, DownThemAll, ChatZilla or FirefFTP, and all full themes released for the web browser. It makes sense from Mozilla's perspective to hide these add-ons from Mozilla AMO to avoid user confusion; still, a part of web history and Firefox's history is removed by the move. Related articles How to find replacements for Firefox legacy add-ons How to move Firefox legacy extensions to another browser Source Update from Waterfox Author:
  10. Next up for Firefox's Tracking Protection: Social Media tracker blocking Mozilla plans to extend the functionality of Firefox's Tracking Protection feature soon by adding Social Media tracker blocking to the list of protections. Social Media tracker blocking is not an entirely new feature but Mozilla wants to move it into its own Tracking Protection category and improve it at the same time. Tracking Protection is a built-in feature of the Firefox web browser that has been designed specifically to mitigate tracking on the Internet. Mozilla enabled Tracking Protection by default for all instances just recently in stable versions of Firefox; the feature was enabled in private browsing windows previously only. The organization announced in mid 2018 that it had plans to push Tracking Protection, and that is exactly what it has been doing since. The next upgrade addresses another major source of tracking on today's Internet: social media tracking. Mozilla plans to introduce the feature in Firefox 70 Stable but the release may be postponed depending on how development progresses or even pulled. Firefox 70 Stable is scheduled for a October 23, 2019 release. Mozilla plans to block social media trackers by default in Firefox once the feature lands. Tracking Protection supports the three different states Standard, Strict and Custom; standard is the default state and social media tracker blocking is enabled in that state. Mozilla maintains a list of trackers that will get blocked when the feature is enabled. The current list includes Facebook, Twitter, LinkedIn, and YouTube, and the various tracking domains that these social media services use. Firefox users may click on the Shield icon in the browser's address bar to display the types of trackers that are blocked on the active site. Social Media Trackers will be listed there if any are blocked and users may click on the small arrow icon to display the list of trackers the site attempted to load. Mozilla plans to make use of doorhangers in the future to inform users about tracking protection features. Closing Words Tracking Protection is a core feature of the Firefox web browser that has been improved significantly in the past 12 months to block more trackers but also other unwanted content such as cryptomining or fingerprinting. There is certainly room for improvement, either by improving existing protections, e.g. fingerprinting, or by implementing new tracking protection groups. Source: Next up for Firefox's Tracking Protection: Social Media tracker blocking (gHacks - Martin Brinkmann)
  11. Group Speed Dial is a free, customizable new tab page extension for Firefox Not to take anything away from Opera's iconic speed dial, but Group Speed Dial for Firefox has possibly the best customizable new tab page I've ever used. When Mozilla made WebExtensions the only available option in Firefox 57, it killed many legendary add-ons. One of these was in my opinion, Speed Dial by Josep Del Rio. If you're a creature of habit, and tend to or visit the same websites every day, a Speed Dial page can be more convenient than regular bookmarks. The default new tab page in Firefox is okay, but I wanted more. That's when I came across Group Speed Dial by Juraj Mäsiar. It looked like a fork of the original add-on, something which I wasn't expecting at all. It seemed to me like the author also missed Speed Dial, and had created the new extension. Group Speed Dial has a lot of nifty features, some of which may have been added over time since its debut. Group Speed Dial - Basic Usage Once you install the add-on, it effectively replaces the "new tab page", with speed dials which act as visual bookmarks to the web pages that you want. To create a new speed dial, click on an empty tile and paste the URL of the web page in the "Link to page" field. Tip: You can quickly add a website to the speed-dial, by clicking the add-on's icon and selecting "Add this page to dial". For e.g. You could link to the Ghacks.net homepage, to quickly visit the blog. Since it is a visual bookmark extension, it generates a preview of the web page. You can refresh the dial's thumbnail, to keep it up to date. Tip: Some previews may require you to sign in to the specific website. By default, the speed dial page has 9 dials in a 3 by 3 format. You can however, customize the settings to add more. You can also add more pages, or Groups, as the extension's name suggests. Each page has a 3 x 3 grid, which you can customize. You can give each group a name to keep things well organized. Tip: There are many ways to organize the dials. Want to move a dial to a different dial? Click and drag it to the dial position and let go. This also works if you want to move dials between group. Advanced Options Click on the extension's icon on the toolbar, and you will see pop-up menu with a few options including one which says, "Options", except this one lets you modify the extension's settings. The options page lets you select between a white and a dark theme. The Dials and Groups appearances can be customized to your liking as well including the thumb nail size, . You can set Group Speed Dial to always open in new tab, always open in new window, auto switch to new tab etc, . You can use a custom background for your Speed Dials. The add-on lets you choose among the following background options: None, Bing image of the day, Gradient colours, A picture stored on your computer, A picture from URL and even a web-page. Note: When you use a background, there maybe a slight delay (a split-second) when the new tab page loads. Backup/Restore Dials and Settings This is an incredibly useful option. When I installed Group Speed Dial, I was pleasantly surprised to be able to import my settings/dials from Speed Dial. This got the extension ready to use in a matter of seconds. Similarly, you can use the backup option in the extension to save all your speed dials and settings. Keep a copy of this in your cloud storage account or a portable drive, in case you need to re-install Windows or you're switching computers/hard drives or want to refresh Firefox. Tip: There is another extension called "Ctrl + Number for Group Speed Dial", made by the same author. Installing this plugin allows you to use keyboard shortcuts to quickly open the dial you want. E.g. Ctrl + 1 for the 1st dial, Ctrl + 5 for the 5th, and so on. Group Speed Dial has optional cloud based features, but I prefer to use it offline, as I only use Firefox. The extension is also available for Google Chrome and Opera, but I have not used those, and hence cannot comment on them. Source: Group Speed Dial is a free, customizable new tab page extension for Firefox (gHacks)
  12. Firefox 68 features a new Add-ons Manager Firefox's Add-ons Manager is one of the core components of the web browser, at least for Firefox users who install browser extensions, themes, or language packs. Mozilla plans to launch a redesigned Add-ons Manager in Firefox 68 that does away with older technologies that Mozilla used in the past in Firefox. Mozilla implemented some changes to Firefox's Add-ons Manager in Firefox 64; it was clear back then that this was just a first step for the organization and that the bulk of changes would follow at a later point. The design of the Add-on's Manager was switched to a Cards design in that release. The Add-ons Manager in Firefox 68, out July 9, 2019 according to the Firefox release schedule, does not rely on legacy technologies such as XUL anymore and introduces the bulk of the changes. The new about:addons design of Firefox 68 looks similar to the Firefox 64 design but there are notable differences. Mozilla replaced the action buttons that Firefox attached to each of the extensions with a menu. One of the effects of the change is that there is more room for the extension's description, another that it takes an extra click to disable or remove extensions. A click on the extension's card opens the details view. The same view is also available when you click on the menu and select options. Details view separates information into tabs. Details contains the description of the extension, its verison and rating, and settings that are valid for all extensions, e.g. to change automatic updates behavior for that extension or allow or disallow it to run in private windows. The permissions tab lists all requested permissions by the extension. Release notes and Preferences are additional tabs that may be displayed for some extensions. The display depends on each individual extension. The main Add-ons Manager menu displays the new report option. Firefox users may report extensions to Mozilla by selecting one of the available categories, e.g. creates spam or advertising, damages my computer and data, or doesn't work, breaks websites, or slows Firefox down. The main "Manage your Extensions" page lists recommended extensions by default. Mozilla introduced the new Recommended Extensions Program for Firefox some time ago and launched a preview version in Firefox Nightly. The organization maintains a list of extensions that meet certain requirements and uses the list to recommend extensions to Firefox users. Firefox users who don't want the feature can turn extension recommendations off easily. Source: Firefox 68 features a new Add-ons Manager (gHacks - Martin Brinkmann)
  13. Mozilla starts test of subscription-based ad-free Internet experience Mozilla launched a new subscription-based service today in partnership with Scroll.com that gives subscribers an ad-free reading experience on participating news sites. Some might say that they get an ad-free experience already thanks to the content blocker that they are using, and that may very well be the case for sites that don't use paywalls or other means of blocking Internet users with ad-blockers from accessing the sites. The idea behind the new service is simple: make sure that site owners and users benefit from an ad-free Internet. Many Internet sites rely on advertisement revenue. Content blockers on the other hand remove ads which is beneficial to the user, but they don't address the revenue issue that arises. You could say that it is not the task of the content blocker to make sure that a site survives, and that is true, but as a user, you may be interested in keeping some sites alive. With Scroll, users would pay a monthly subscription fee to support participating sites. The details are a bit blurry right now. The First Look page is up and it provides some information. According to it, a subscription will cost $4.99 per month but you don't get to see a list of participating sites right now. A click on subscribe leads to a survey and and that sign-ups are limited at the time. Scroll lists some of its partners, and it is a selection of major sites such as Slate, The Atlantic, Gizmodo, Vox, or The Verge. The participating companies receive subscription money instead of advertising revenue. How the subscription money is split up is unclear and there is no information on Scroll's website about how the money is divided among the participating companies. Will participating publishers get their share based on activity or is it a flat fee instead? Mozilla and Scroll will likely get a cut as well. Subscribers get a handful of other benefits besides supporting sites and accessing these sites without seeing any advertisement: from a seamless experience between mobile and desktop devices to audio versions of articles, and a special app that highlights new content without advertising. Closing Words The idea to get Internet users to pay a small amount of money to get rid of advertisement is not entirely new. The test that Mozilla plans to conduct is very limited at the time, only a handful of publishers support it and while that makes for a good start, it is hard to imagine that this is attractive enough to get a sustainable number of users to sign up. It may be an option for Internet users who are a regular on one or multiple of the sites that joined the experiment, and it may be better than having to deal with sites individually instead. Then again, unless Scroll supports lots of sites, I cannot really see this go far unless the service opens its door for all publishers and reveals how business is conducted. The chance of success is certainly higher with a partner like Mozilla. Source: Mozilla starts test of subscription-based ad-free Internet experience (gHacks - Martin Brinkmann)
  14. Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections. Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser. To achieve this, security software replaces websites' TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs). Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox. In recent months, this limitation continually crashed HTTPS pages for many Firefox users showing them SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT error codes when their antivirus attempts to intercept an HTTPS-enabled page by adding its root certificate to Firefox store. To let users easily fix this issue, starting with Firefox 68, the browser will now automatically enable the "enterprise roots" preference and retry the connection whenever it detects a "Man-in-the-Middle" TLS error. Enabling the "security.enterprise_roots.enabled" setting configures Firefox to trust certificates in the operating system certificate store by importing "any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer." According to the company, this option is available on Windows and MacOS. The company has also recommended antivirus vendors to enable the "enterprise roots" preference instead of adding their own root CA to the Firefox root store. Moreover, the company also says that with Firefox ESR 68, the "enterprise roots" preference setting will come enabled by default. While talking about users concerns over Firefox automatically trusting certificates that haven't been audited and gone through the rigorous Mozilla process, the company says "any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store." Besides this, starting with Firefox 68, which has been scheduled to be released on 9th July, the sensitive device features like the camera and microphone will require an HTTPS connection to work with the browser. Source
  15. This is Firefox's new QuantumBar Address Bar design Firefox 68 will be the first stable version of the web browser that features the rewrite of Firefox's address bar. The new component, called QuantumBar -- matching Mozilla's use of the Quantum name since the release of Firefox 57 Quantum -- replaces the Awesome Bar in Firefox 68. The core difference between both address bar implementations lies under the hood. Awesome Bar uses classic Firefox components such as XUL and XBL that are purged from the browser, the QuantumBar web technologies. Firefox users should not see much of a difference when they are updated to Firefox 68; Mozilla wanted the new implementation to look and feel like the old in the first release. Mozilla plans to activate the QuantumBar in Firefox 68 and to introduce updates to the address bar in future versions of the web browser. A new design mockup reveals information about planned changes and experiments. Mozilla plans to introduce changes to the QuantumBar implementation after the release of Firefox 68. The changes won't be massive in scale but they may improve functionality or change the layout or design of the address bar somewhat. One of the first changes that Firefox users may notice once the changes land is that the address bar gets a bit bigger when it is selected or when a new tab page is opened. It is a visual indicator that the bar is selected. The list of suggestions and on-off searches displayed when users start to type in the address bar won't fill the entire browser window width anymore. The suggestions use the same width as the address bar once the change lands. Firefox continues to highlight the user typed text in the list of suggestions. Mozilla plans to change that for search suggestions however. Search suggestions will have the suggested part highlighted instead to make. Whether that might lead to some confusion as to what gets highlighted when users type in the address bar remains to be seen. Another useful change is that Firefox "remembers" the current state of input. Current versions of Firefox forget what you have typed if you click outside of the area or switch tabs accidentally. The new implementation displays the last state automatically so that you may continue right away. The on-off search icons come with descriptive text that explains that the searches are for a single search only and won't change the default search provider in the Firefox browser. Mozilla plans to run a number of experiments next to these changes that might make their way into the final version of the browser eventually. The following experiments are considered currently: Display the Top 8 sites from Activity Stream on address bar activation -- Firefox displays the top 8 visited sites taken from Activity Stream when the address bar is selected. Replace one-off searches with Search shortcuts -- Instead of running searches when search icons are selected, Firefox would simply open the search engine. Single SAP -- Removes in-content search from Activity Stream and Private Browsing (removes the search bar on New Tab page and other pages) Search Tips -- Provide contextual information to help users understand QuantumBar functionality. Search Interventions -- Intercept Firefox specific-searches to "surface buried functionality". Firefox 68 is scheduled for a July 9, 2019 release. Source: This is Firefox's new QuantumBar Address Bar design (gHacks - Martin Brinkmann)
  16. Firefox will use BITS on Windows for updates going forward Mozilla plans to change the updating technology that the organization's Firefox web browser uses on the Windows platform. The organization plans to use BITS, the Background Intelligent Transfer Service, on Windows to handle Firefox updates. BITS is a Windows file transfer service that supports downloading files and resuming interrupted file transfers while being "mindful" of the responsiveness of other network applications and network costs. Current versions of Firefox use a task called Mozilla Maintenance Service and a background update component to push updates to Firefox installations. The functionality was launched in 2012 to improve the updating experience especially on Windows. Firefox 68 could be the first stable version of Firefox to use BITS on Windows devices according to Mozilla's plans. The functionality is still in active development and it is possible that things may get delayed. The use of BITS is just the first step in Mozilla's plan, however. The organization wants to roll out another new component to handle background updates better. The component is called Background Update Agent and it is designed to download and apply updates to Firefox. The background process may download and install updates even if the Firefox web browser is not running on the system. Mozilla hopes that the new updating mechanism will be beneficial to Firefox users with slow Internet connections. The organization noticed that updates would often be terminated prematurely when users exited the browser on slow Internet connections. Mozilla engineer Matt Howell created the bug 2 years ago on Mozilla's bug tracking website. The Update Agent is being planned as a background process which will remain running after the browser is closed to download and apply updates. This should make updating more convenient for everyone and reduce the time to get new updates for users who aren't well supported by the current update process because they don't run Firefox very much and/or they have slow Internet connections. BITS preferences Note that BITS functionality is still in development at the time of writing and that some things may not work correctly right now. Firefox 68 will support two BITS related preferences; one determines whether BITS is enabled and in use, the other whether the Firefox version is part of a trial group. Load about:config in the Firefox address bar and hit enter. Confirm that you will be careful. Search for bits The preference app.update.BITS.enabled determines whether the new update functionality is enabled. True means BITS is used and enabled. False means BITS is not used and not enabled. The preference app.update.BITS.inTrialGroup is a temporary preference used during tests. Restart Firefox. Mozilla plans to add a preference to Firefox's options that gives users control over the background updating process. Firefox users may disable background updating using the preference so that the process won't download and install updates while Firefox is not running. Closing Words The use of BITS should improve Firefox's update process, especially for users on slow connections. Mozilla hopes that the new functionality will leave less Firefox installations behind version-wise. Users who don't want it will be able to disable the background updating in the options. (via Techdows) Source: Firefox will use BITS on Windows for updates going forward (gHacks - Martin Brinkmann)
  17. Mozilla plans far-reaching changes to Protective features in Firefox Mozilla plans to improve the protective features of the Firefox web browser further by making user interface changes, introducing social blocking as a new tracking protection feature and protection reports, and launching a new service called Firefox Proxy. Mozilla improved the Tracking Protection feature of the Firefox web browser with the release of Firefox 67.0 in May 2019. The organization added fingerprinting and cryptomining protections to Firefox, and enabled third-party tracking cookies blocking in Firefox 67.0.1 by default. A series of new mockups suggest that Mozilla plans to make far-reaching changes to the protective features in Firefox. It needs to be noted that the plans could change, and that the final product could look different. Away with the i-icon, new tracking protection panel Firefox users may access site information with a click on the i-icon in the browser currently. A click on the icon displays information about the connection, tracking protection, and site permissions. Mozilla plans to remove the icon from Firefox and separate information into a Tracking Protection panel and the lock icon for the connection. The organization identified several issues with the current design including information overload, no separation of blocked and unblocked items, vague terminology, and visibility issues. The shield icon of the Tracking Protection feature will be visible all the time. A click on the icon displays only Tracking Protection options and information: Tracking Protection on/off toggle. Site not working repair suggestions and report option. Elements that are blocked and elements that are not blocked but can be blocked are displayed. Not blocking information. Link to Protection settings. Link to the new Protection report. The lock icon that indicates the security of the connection gets new functionality as well. Mozilla moves the connection information and site permissions to the icon. The new layout paves the way for a new type of interaction that Mozilla would like to implement. Mozilla could use the panel to push information and other content to the panel using a new Messaging system. New Social Blocking feature Social Blocking is a new Tracking Protection feature that blocks social media sites from tracking users across the Internet. The feature blocks trackers such as like-buttons or embeds on third-party sites to eliminate or reduce tracking. Firefox may display prompts to temporarily disable social trackers if they are required for user interaction, e.g. when a sign in requires that certain trackers are allowed as it would not work otherwise. Firefox users may allow tracking temporarily to complete the process. Firefox may display a notification at the top of the web page if it detected that social media tracker blocking blocked content elements such as login forms on the page. The browser displays an option to load the page with tracking protections turned off to access the missing functionality. Protection Reports Another new feature that Mozilla plans to introduce is a reporting feature called Protection Report. The browser displays the number of blocked trackers per day of the week and sorted into categories such as cross-site trackers or social trackers. The report provides Firefox Monitor and Firefox Lockwise information as well. Firefox Monitor is a breach-checking and notification service, and the report highlights the number of monitored email addresses, known breaches, and exposed passwords. Firefox Lockwise is a password manager. The report displays the number of stored and duplicate passwords. Source: Mozilla plans far-reaching changes to Protective features in Firefox (gHacks - Martin Brinkmann)
  18. Tor Browser 8.5.3 has been released to fix a Sandbox Escape vulnerability in Firefox that was recently used as part of a targeted attack against cryptocurrency companies. As this vulnerability is actively being used, it is strongly advised that all Tor users upgrade to the latest version. When starting Tor Browser, it should alert you if a new version is available. If you would like to perform a manual check, you can do so by going to Tor Browser menu -> Help -> About Tor Browser. Unfortunately, like the previous release, the Android version of Tor Browser 8.5.3 will not be available until the weekend as part of the Tor team who handles the Android signing token is away at an event. Tor 8.5.3 can be downloaded from the Tor Browser download page and from the distribution directory. The full changelog for Tor Browser 8.5.3 is: Tor Browser 8.5.3 -- June 21 2019 * All platforms * Pick up fix for Mozilla's bug 1560192 Sandbox Escape vulnerability fixed This week it was discovered that two Firefox zero-day vulnerabilities were used as part of targeted attacks against cryptocurrency firms. The two vulnerabilities used in the attack are a remote code execution vulnerability chained with a sandbox escape vulnerability. Yesterday, the Tor Project released Tor 8.5.2 to fix the RCE vulnerability, and today's release of 8.5.3 fixes the Sandbox Escape vulnerability in the bundled Firefox browser. "This release includes an important security update in Firefox, a sandbox escape bug, which combined with additional vulnerabilities could result in executing arbitrary code on the user's compute" When these two vulnerabilities were chained together, they were able to download and install information-stealing Trojans on a victim's computers as well as remote access to the computer's network. Due to this, it is imperative that users install this update immediately. Source
  19. Mozilla has released a second security update this week to patch a second zero-day that was being exploited in the wild to attack Coinbase employees and other cryptocurrency organizations. Firefox 67.0.4 and Firefox ESR 60.7.2 are now available for Firefox users through the browser's built-in update mechanism. This second bug was used together with another one that Mozilla patched two days ago, through the release of Firefox 67.0.3 and Firefox ESR 60.7.1. The two zero-days The first one was described as a "remote code execution" vulnerability that allowed remote attackers to run malicious code inside Firefox's native process. The bug (CVE-2019-11707) was discovered on April 15 by a Google Project Zero researcher and reported to Mozilla, who only patched it this week after the Coinbase security team reported attacks exploiting the vulnerability, together with a second zero-day (CVE-2019-11708). This second zero-day, which Mozilla described as a "sandbox escape" allowed malicious threat actors to escape from the Firefox protected process and execute code on the underlying operating system. When combined, the two bugs provide a quick avenue for running malicious code from within a website on a visiting user's computer. The two zero-days used in the same attacks As ZDNet broke the news earlier today, these two zero-days were being used by an unknown hacking group in attempts to infect the Coinbase staff. Coinbase employees would receive spear-phishing emails that would contain links to malicious sites. If they clicked the links and visited the sites -- if they used Firefox -- the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data. The attacks were tailored for both Mac and Windows users, with different malware strains delivered for each OS. The attacks have been going on for weeks before being detected, and Coinbase said they also targeted other cryptocurrency organizations, and not just their employees. The Firefox bugfix for the second zero-day is expected to land in the Tor Browser in the coming days. Today, the Tor Browser team updated to version 8.5.2, which includes the fix for the first zero-day. Source
  20. Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day. The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop," Mozilla engineers wrote in a security advisory posted today. "This can allow for an exploitable crash," they added. "We are aware of targeted attacks in the wild abusing this flaw." Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day -- tracked as CVE-2019-11707. Outside of the short description posted on the Mozilla site, there are no other details about this security flaw or the ongoing attacks. Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß did not respond to a request for comment from ZDNet seeking additional details about the attacks. Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser. Fellow browser maker Google patched a zero-day in its browser in March this year. The zero-day was being used together with a Windows 7 zero-day as part of a complex exploit chain. Source
  21. Block autoplaying video and audio in Firefox 69+ natively Most modern web browsers mute audio content that plays automatically on websites that users visit on the Internet. Firefox started to block autoplaying audio automatically with the release of Firefox 66 which Mozilla started to test in mid-2018 already in development versions of the web browser. Google Chrome, and most Chromium-based browsers, block audio from playing automatically as well on sites. Mozilla plans to improve Firefox's autoplay-blocking capabilities with the release of Firefox 69. Firefox 69 is scheduled for a September 3, 2019 release. Current versions of the Firefox web browser, that is any version pre-69, block audio from playing automatically when you visit Internet sites. Video content is not blocked in the web browser even if sites play videos automatically when you open them. Starting with Firefox 69, Firefox users will get an option to add video to the autoplay-blocking behavior of the web browser. The new Autoplay permission replaces the "block websites from automatically playing sound" option in the Firefox options. A click on the Settings button associated with the permission opens a new configuration overlay in the browser. There you find an option to set the default level of blocking for all sites and to manage websites with custom autoplay permissions. Firefox 69 supports the following three defaults for autoplay media on websites: Block Audio -- Default level. Blocks audio from playing automatically but won't block video from playing. Block Audio and Video -- New option. Blocks any media from playing automatically. Allow Audio and Video -- Allows all media to autoplay. You cannot use the configuration prompt to set custom permissions for sites. That needs to be done on the frontend by clicking on the i-icon in the Firefox address bar. Doing so opens the site information options for the active site. There you find information about the connection and content blocking, and permissions. Firefox displays all permissions that apply to the site; the development version of Firefox 69 displays "autoplay sound" still when autoplay is blocked or allowed on the site but that is surely going to get fixed before the stable release. A click on the menu next to the blocking option displays the three levels of blocking. There you may set a custom level, e.g. allow audio and sound, for that particular site. The changes that you make apply to the entire site automatically. A click on the settings icon next to permissions opens the autoplay permissions to manage the defaults and list of exceptions. Firefox won't block video and audio content on media sites. When you open a video on YouTube, it plays just fine with audio as it is the desired behavior, and the same is true for other media streaming sites such as Dailymotion. Extensions may block autoplay on video hosting sites such as YouTube, YouTube no Buffer, for example blocks autoplay on the site and when videos are embedded on third-party sites. Closing Words Starting with the release of Firefox 69, Firefox users get built-in options to block video content from autoplaying on sites automatically. The browser continues to block audio content only by default but users may change the default behavior in the settings to block video as well. Source: Block autoplaying video and audio in Firefox 69+ natively (gHacks - Martin Brinkmann)
  22. Firefox 69 gets a password generator Mozilla is working on a new feature for the Firefox web browser that helps users generate random secure passwords when they create new accounts on the Internet. The feature is part of a concentrated effort to make the password manager of the Firefox browser more useful. Mozilla launched a first batch of improvements in Firefox 67 which it released on May 21, 2019 to the public. Among the new features were options to save passwords in private browsing mode and support for an authentication API. Mozilla released Firefox Lockwise, a password manager companion app for Android, iOS and desktop systems recently as well. Firefox Lockwise on mobile brings all saved Firefox passwords to the mobile device and supports options to sign-in globally using these passwords. Mozilla plans to introduce a password generator in Firefox 69. The password generator would work in conjunction with Firefox's built-in password manager. Firefox suggests a password during registration processes on Internet sites. The process works on sites that use the autocomplete="new-password" attribute currently only but will work on password fields that don't use it as well in the future. (thanks Sören) Firefox displays a "use generated password" option when the password field is activated. Selection of the password adds it to the field and saves it automatically under saved logins. The password is saved there even if the registration is ended prematurely. The new password generator of Firefox is not enabled by default in Firefox Nightly. It is controlled by an advanced configuration option that Firefox users may set to on or off to allow or disable the functionality. Load about:config in the Firefox address bar. Confirm that you will be careful. Search for signon.generation.available. Set the preference to True to enable the password generator or set it to False to disable it. Firefox 69 has a preference in the regular settings to control the password generator. Load about:preferences#privacy in the Firefox address bar. Scroll down to the logins and passwords section. Suggest and generate strong passwords determines whether Firefox's password generator is turned on or off. Check it to turn it on, or uncheck it to turn it off. Firefox 69 is scheduled for a September 3, 2019 release. Closing Words The password generator comes without any configuration options at this point; it is not possible to change important parameters such as the password length or charset. Still, the introduction is a step in the right direction as it assists users who use Firefox's built-in password manager with the generation of passwords that are more secure than the average passwords that users choose when they create accounts on the Internet. Google Chrome supports password generations as well but only if sync is enabled. Source: Firefox 69 gets a password generator (gHacks - Martin Brinkmann)
  23. Firefox's Session Restore code is changing, bugs possible Firefox users may experience bugs and issues related to the browser's Session Restore feature while Mozilla is working on changing the feature's code. Session Restore is a core feature of the Firefox web browser designed to reload the last browsing session on start of the browser. Firefox users may set up the browser to load all open tabs of the previous browsing session on start of the browser. All that is required for that is to make sure that "Restore previous session" is enabled on about:preferences. Mozilla started to work on converting Firefox's current Session Restore logic to C++ to reduce the feature's impact on the browser's memory usage and performance. The bug listing on Mozilla's bug tracking website, bug 1474130, highlights the rationale behind the change content-sessionStore.js is currently loaded into every tab frameloader. Which means it gets loaded multiple times per process, which is not great. But even when loaded only once, it uses about 86K. Add to that 17K from ContentRestore.jsm and 12K from SessionHistory.jsm, and we're up to at least 120K per process, if none of the other helper JSMs get loaded. The things that these scripts do can easily be done by C++ (some of them more easily), so there doesn't seem to be a good justification for loading this much JS into every process for the sake of session restore. Ah, and of course another 12K for Utils.jsm. Mozilla hopes to address Sessionstore related performance issues with the move and to reduce the per-process memory costs of Firefox processes. The meta Sessionstore feature development bug lists the work that still needs to be done to improve the feature. It is clear, just by looking at the list of dependencies and open bugs, that it will take quite some time to resolve all outstanding issues. Another meta bug collects reliability reports related to Sessionstore, and yet another performance related issues. The list of dependencies is even longer and some users who filed bugs noticed them in stable versions of the Firefox web browser and not development versions. Tip: How to restore Firefox sessions if Session Restore is not working correctly Firefox users will benefit from the change once it lands but issues may be experienced in the meantime, especially in development versions of the Firefox web browser. Session Restore may be unable to restore the session; at least one case has been reported on Reddit by a user who reported that Firefox would restore an older session and not the most recent one. Firefox users may want to consider backing up their profiles regularly in the meantime or using extensions such as Session Boss, Tab Stash, SessionSync or Set Aside. (thanks Robert) Source: Firefox's Session Restore code is changing, bugs possible (gHacks - Martin Brinkmann)
  24. If you lost all passwords in Firefox, read this! Reports are coming in by Firefox users from all over the world that saved passwords are no longer available when they start the web browser. Firefox, just like any other modern browser, supports the saving of authentication information to improve the sign-in process on websites. Instead of having to enter the passwords manually each time they are requested, Firefox would provide the password when needed. Firefox saves the data in the file logins.json in the Firefox profile folder. Reports suggest that Avast and AVG security applications cause the issue for Firefox users. It appears that the software programs somehow corrupt the login.json file so that Firefox cannot read it anymore. It is possible that other security programs may cause the issue as well. Good news is that the passwords are still there and that affected users should be able to recover them on their devices. Bad news is that this is only a temporary solution as the files will be corrupted again unless Avast updates its software programs to address the issue. In other words: the issue is not caused by Firefox, it is caused by third-party software that corrupts the logins file of the Firefox web browser. Fixing the lost password issue Open the Firefox web browser. Load about:support. Click on the "open folder" link near the top of the page that opens; this opens the profile folder. Close Firefox. Check if you see a file called logins.json.corrupt. If you do, rename the file to logins.json to fix it. Start Firefox. The passwords should be available again. The fix is a temporary one as the logins file will corrupt again when you restart the system. One option to fix the issue on the user's end would be to exclude Firefox or the file from scans. Other than that, you either have to wait for AVG/Avast to issue a patch that addresses the problem or remove the software from the system. Some Firefox users fixed the issue by rolling back to Firefox 67.0.1; AVG/Avast software appears to play fine with that version of the browser. The incident is not the first time that AVG or Avast software caused issues in Firefox. When Firefox 61 was released in mid 2018, the browser suddenly threw Secure Connection Failed errors when attempting to connect to HTTPS sites. Then in February 2019, users would get SEC_ERROR_UNKNOWN_ISSUER when connecting to secure sites. Turned out that the issues were caused by the security software. Update: Here is the official bug by Mozilla that highlights the issue. (thanks Techdows) Update 2: AVG provided the following statement: Some AVG users recently may have been unable to access their browser passwords when using Firefox. This only applied to those who purchased the AVG Password Protection feature and the issue was fixed today at 12:20pm. Avast users were not affected. This happened because Firefox updated its certificates for sign in to the new version of the browser and AVG did not have this new certificate marked in its database as trusted. The problem was fixed today for AVG users at 12:20 CET and an update was distributed immediately to our user base. AVG checks for updates every four hours, and users can also manually update their software under their AVG settings -> Update. Users with product version VPS 190614-02 and newer will not experience any issues. For those affected, Firefox has not deleted the password file but will have renamed it to from ‘logins.json’ to something like ‘logins.json.corrupt’ (or ‘logins.json-1.corrupt’, ‘logins.json-2.corrupt’, etc.). This means the passwords are not lost, but the user will need to rename the file back to ‘logins.json’. We recommend the user does a backup of these ‘logins.json’ files, for example to another folder, before renaming them. The password file is typically stored in the Firefox profile directory: c:\Users\<user-name>\AppData\Roaming\Mozilla\Firefox\Profiles\<random-string>.default\logins.json We apologize for any inconvenience this may have caused to the affected users. Source: If you lost all passwords in Firefox, read this! (gHacks - Martin Brinkmann)
  25. Firefox 68: add-on release notes in add-ons manager The Firefox Add-ons Manager will soon display the release notes of updated extensions directly in the web browser. Mozilla plans to release the new feature in Firefox 68 which is scheduled for a July 9, 2019 release. Firefox supports browser extensions; users may install add-ons in the browser to extend functionality of the browser or sites visited in the browser. Add-ons are updated automatically by default whenever a new version is released by the developer or publisher. Firefox users who want more control over the update process may change the default behavior to turn automatic updates off. Current versions of Firefox, those prior to version 68, don't reveal update information when you select Extensions. Updates are highlighted under Available Updates in the Add-ons Manager but only until the update is installed. The only option after installation was to visit the extension's profile page on the Mozilla Add-ons repository, or to look the information up on the developer's site if they were provided there. The profile page on Mozilla AMO lists the release notes of the latest version of an add-on. It is possible to click on "see all versions" on the page to display release notes for previous releases. Starting with Firefox 68, release notes are also a part of the Extensions listing of the Firefox web browser. Apart from that change, the latest release notes are listed there so that it is possible to go through them after the fact. All you need to do is open about:addons in the Firefox web browser, click on one of the installed browser extensions, and switch to the Release Notes tab. Note that you can also click on the menu icon (the three dots) next to any extension and select "more options" to open the details page of the installed extension. Release Notes are pulled from Mozilla's AMO website when they are opened in the browser; it may take a moment to display them because of that. Implementing an option to integrate release notes with releases so that they don't need to be fetched separately would be a welcome improvement. The release notes depend on the content that the developer of the extension or its publisher add to the release notes snipped on Mozilla AMO. Some developers provide extensive information, others barely any information at all. Closing Words The option to display release notes directly in the Firefox Add-ons Manager is a welcome step in the right direction. I'd like to see an option get these displayed during add-on updates as well to get even more control over the updating process. Mozilla could implement these optionally and keep the automatic process the default in coming versions of Firefox. Source: Firefox 68: add-on release notes in add-ons manager (gHacks - Martin Brinkmann)
  • Create New...