Jump to content

Search the Community

Showing results for tags 'mozilla'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 85 results

  1. We test Mozilla’s new Wireguard-based $5/mo VPN service Mozilla's VPN is available now for Windows, Android, and iOS. Enlarge / Mozilla's new Wireguard-based service offers a very simple, attractive, and cleanly functional VPN user interface. Jim Salter 35 with 29 posters participating, including story author Mozilla, the open source company best known for the Firefox Web browser, made its VPN service generally available in the United States this month. The cross-platform VPN is based on Wireguard and delivered in partnership with well-known and especially techie-friendly VPN provider Mullvad. Mullvad itself was, to the best of our knowledge, the first publicly available VPN provider to offer Wireguard support back in 2017. The Mozilla VPN service costs $4.95 per month and offers server endpoints in 30-plus countries. It currently has VPN clients available for Windows 10, Android, and iOS—but users of other operating systems, such as MacOS and Linux, are going to have to wait. Mozilla says that support for MacOS and Linux is coming soon—but unfortunately, even if you're an advanced user who understands Wireguard configs, you can't just roll your own connection now. The service authenticates via Firefox cloud account. When you sign up for a Mozilla VPN subscription, you'll be asked to create a Firefox account if you don't already have one. The Firefox account is an SSO (Single Sign On) service which uses oauth2, much like a Google account—but it's not tied to a Google account, so even if you sign up using a Gmail address tied to an Android device, that device won't be automatically logged in. Aside from the Firefox-based oauth2 integration, Mozilla's VPN appears to effectively be a Mullvad VPN, with a different client application and different billing entity. It is a bit less expensive through Mozilla, though—Mullvad costs €5 per month. This makes Mozilla's offering about $0.80 per month cheaper, at current exchange rates. Before we go any further, we need to make something clear—we've repeatedly said that Ars Technica, as editorial policy, does not and cannot specifically recommend any public VPN service provider. While Mozilla does put its own stamp of approval on Mullvad's policies, we have neither sufficient access nor resources to audit those claims ourselves. Readers will need to decide for themselves whether Mozilla's endorsement and partnership constitutes sufficient assurances for their own level of privacy and security needs. Readers who want a publicly available VPN service and a somewhat higher level of potential privacy might consider bypassing Mozilla and going directly to Mullvad. The Mozilla VPN service must be tied to a working email address and paid for with a credit card. By contrast, Mullvad accounts have no identifying information besides the account number itself, and they can be paid for with bitcoin—or even literal cash in a mailed-in envelope. We don't have any better way to guarantee Mullvad's internal policies and handling than Mozilla's, of course—but never collecting a user's real-world information in the first place is a pretty solid start on the privacy game. Testing Mozilla VPN—Android (Google Pixel 2XL) On Android devices, the Mozilla VPN client is available directly from the Play store. It's a fairly small download (20MiB) and quick install. Once installed, bringing up the application directs the user to log in with a Firefox single sign-on account; assuming that account also has a paid subscription to the Mozilla VPN service, you're ready to go immediately—no additional configuration is necessary. The application itself is about as simple as it could possibly be. By default on first login, a fairly nearby VPN endpoint is automatically selected by geolocation; the VPN itself is off until toggled on using a small slider. After toggling the slider on, the VPN itself connects in two seconds or less... and that's it. By default, all traffic from the phone is routed through the Mozilla VPN. Diving into the Settings tab reveals a little more functionality. You can manage your Mozilla VPN account, change your VPN endpoint, or opt to pass individual apps on your phone or tablet directly through to the raw network connection. The Mozilla VPN account management just opens a webpage in your default browser; logging in with your Firefox SSO once more gives you access to your payment and profile information. Selecting a VPN endpoint lets you first choose an endpoint country, and then you choose from one or more city locations in that country. The nice thing here is that changing your endpoint automatically breaks and reconnects your VPN connection as well—there aren't any additional clicks necessary. Finally, the "Protect specific apps" setting does just what you'd expect, providing you with two lists—protected apps (those routed through the VPN) and unprotected apps (given direct network access). You don't see these lists at all unless you toggle the slider on; once you do, all apps by default are protected. If you prefer your defaults the other way around, you get a button to "unprotect all apps" as well as individual checkboxes for the apps themselves. So getting things just the way you like them is easy. There is no option to pass LAN traffic directly through—so if you use apps that depend on local traffic, you'll unfortunately need to pass those entire apps through. Testing Mozilla VPN—Windows 10 (build 2004) If you read through the Android section above, you know just about everything you need to know about the Windows client as well. The interfaces are almost pixel for pixel identical, although you can resize the Windows client, since it's running on a full multiple-window desktop interface. The one real difference we found between Android and Windows is the ability to pass local network traffic directly to the local network, bypassing the VPN. This allows connections to devices such as printers, local file servers, Plex media servers, and so forth to continue unmolested. It would be nice if Android offered the same option—one of the biggest complaints we saw in user reviews on the Play store was from people frustrated that enabling the VPN on their phones broke exactly those sort of connections. On the other hand, the Windows client is missing the ability to route individual apps' traffic through the VPN or directly to the local interface. You win some, you lose some. Performance testing with Mozilla VPN The TL;DR here is simple—Mozilla VPN's performance is perfectly fine. We found very little difference between a raw, direct connection and one routed through a relatively nearby Mozilla/Mullvad endpoint, whether testing using a Pixel 2XL phone connected over Wi-Fi, or a Windows 10 build 2004 VM connected via Ethernet. The nearest endpoint to our test location is in Atlanta, Georgia—where we also maintain a self-hosted Wireguard instance. Our self-hosted Wireguard instance in Atlanta was not meaningfully faster or slower than Mozilla's in the same city. We saw slightly better latency to our self-hosted endpoint (accessed via the vanilla Wireguard client on each platform) and slightly better throughput to the Mozilla endpoint. The farther away your endpoint, the more difference you'll see in both latency and throughput. Routing from the US East Coast through London added about 80ms latency and lost about 15-20 percent of the possible throughput, on either Android/Wi-Fi or Windows/Ethernet. Conclusions Did we mention that we cannot specifically recommend any commercial VPN provider? Well, we're not going to stop mentioning it. Although Mozilla has earned many people's trust for its own advocacy for Internet privacy through both policy and code, we cannot verify how either it or its partner Mullvad actually handle its internal networks. With that said, the stated policies of both Mozilla and Mullvad are on point, the Mozilla-provided Android and Windows clients are easy and intuitive to use, and the network performance was very good indeed. If you're in the market for a commercial VPN provider and you like Mozilla, this service is well worth a look. We test Mozilla’s new Wireguard-based $5/mo VPN service
  2. Mozilla VPN launches in some countries officially Mozilla announced the launch of the organization's VPN service, called Mozilla VPN, yesterday on the official blog. Rumors that the official launch was imminent surfaced in June 2020. The service is available in the United States, Canada, the United Kingdom, Singapore, Malaysia and New Zealand, and available for $4.99 per month. Mozilla plans to expand to other -- unmentioned -- countries later this year. A waitlist is provided for users interested in the VPN that cannot join because of country restrictions- The VPN is available for Windows, Android and iOS devices currently, but Mozilla promises that Linux and Mac clients are under development and will become available eventually as well. The network provides access to more than 280 servers in more than 30 countries currently, and does not impose restrictions on bandwidth. Mozilla promises that network activity is not logged, and that it has not partnered with third-party analytics platforms. The VPN solution may be used on up to five devices. The client uses the cutting edge WireGuard protocol which has a slim code base, is open source, focuses on modern cryptographic techniques, and promises very high speeds when compared to classic VPN protocols. The VPN network is provided by Mozilla's partner Mullvad, a privacy-focused VPN offered by the Swedish company Mullvad VPN AB. Mozilla unveiled the VPN solution in 2019, then under the name Firefox Private Network VPN to beta testers from the United States. The organization changed the name because it wants to reach a wider audience with the service and not just Firefox users, and also to better distinguish the device-wide VPN solution from the Firefox Private Network browser extension which adds a VPN-proxy to the Firefox web browser. Mozilla VPN is one of the main attempts by Mozilla to diversify the organization's income. Most revenue comes from search partner deals in the Firefox web browser, and one of Firefox's main competitors, Google with its Chrome browser, provides most of the income currently. Mozilla started several projects in the recent past, some of them paid, to diversify the income. Firefox VPN is probably the most promising product at the time of writing as it fits well into Mozilla's privacy-focused image. Details about the agreement between Mozilla and Mullvad are not available, and it is unclear how much of the $4.99 per month is ending up in Mozilla's pockets. Mozilla VPN launches in some countries officially
  3. sanjoa

    Issue with Firefox and IDM

    Hi everybody! I'm facing issues with Internet Download Manager and Firefox 77.0/77.0.1. IDM integration module stopped working since I've updated to latest Mozilla version. IDM support told me to uninstall and reinstall the plugin but it didn't work. What should I do?
  4. Firefox Private Relay is Mozilla's latest experimental service Firefox Private Relay is a new experimental service by Firefox maker Mozilla; the (currently) invite-only service is designed to reduce unwanted emails and spam by acting as a proxy email service of sorts. The idea is not new but Mozilla may be on to something considering that trust is important for this kind of service. Users sign-in with their Firefox account, or create a new one, to start using the service. A companion add-on for Firefox is available as well which integrates the service in Firefox. Users of the service may use it to create alias email addresses on the fly that redirect emails sent to them to the user's "real" email address. The user is in full control of the alias and may terminate or disable the alias at any point in time to cut the connection and block any spam or unwanted emails from reaching the real email address. Users may click on the relay button next to email fields to create an alias on the fly. The alias is automatically forwarding emails that come from that service to the real email address. The add-on's description provides further information: Private Relay adds UI to generate unique, random, anonymous email addresses that forward to your real address. You can use your relay addresses to sign up for apps, sites, or newsletters. When you're done with that service, you can disable or destroy the email address so you'll never receive any more emails from it. And, if the service has an incident, their data won't be linked back to you. Some features are unclear at the time of writing because of the invite-only nature of the service. Will users be able to select different domains for the email aliases or only one? It is quite common that disposable email services and email forwarding services get blocked by Internet companies and sites. It is also unclear whether Mozilla plans to introduce a paid option or options such as custom domain, if PGP or similar is supported, and whether functionality is limited in any form (e.g. number of aliases or forwards). Users who don't have an invite at the time may check Anonaddy, an open source service that is offering free and cheap paid accounts. Source: Firefox Private Relay is Mozilla's latest experimental service (gHacks - Martin Brinkmann)
  5. Mozilla has a new virtual private network service and if you have a Chromebook, a Windows 10 computer or an Android device in the US, you can start using a beta version now. Called Firefox Private Network, the new service is designed to function as a full-device VPN and give better protection when surfing the web or when using public Wi-Fi networks. The company offers two options: a free browser-extension version, which it launched in beta last year, that provides 12 one-hour VPN passes when using the Firefox browser and a Firefox account; and a second, $4.99-a-month option that provides a more complete VPN service across your whole device. The new paid option, which runs off of servers provided by Swedish open-source VPN company Mullvad, can protect up to five devices with one account. It allows for faster browsing and streaming, and gives you the ability to tap into servers located in "30-plus countries" for masking your location data. It works on Windows 10, Android and Chromebooks, with Mozilla touting that iOS is "coming soon." Support for Mac, Linux and additional countries are also in the works. According to Mozilla, the premium option won't monitor or log any user data. The company's free version, which is provided by Cloudflare, however, "temporarily logs unidentified browsing history and deletes this data within 24 hours as a mechanism to detect and handle abuse on the network." Mozilla does add that, "Neither Firefox nor Cloudflare is able to associate usage with users, as each party holds partial aspects of this data which are never joined." The move is a much-needed step up in security, especially for those who travel. Whereas an incognito mode can delete your web history, those looking to prevent trackers from their internet provider and add an extra layer of protection when using open networks should use a VPN. If you want to try out the browser-level protection, you can do so today with the Firefox browser extension. The premium option has a waitlist for those looking to join but is accepting new submissions. Source
  6. Development of Thunderbird email client to be moved to a new Mozilla subsidiary named MZLA Technologies Corporation. The Mozilla Foundation announced today that it was moving the Thunderbird email client to a new subsidiary named the MZLA Technologies Corporation. Mozilla said that Thunderbird will continue to remain free and open source, but by moving the project away from its foundation into a corporate entity they will be able to monetize the product and pay for its development easier than before. Currently, Thunderbird is primarily being kept alive through charitable donations from the product's userbase. "Moving to MZLA Technologies Corporation will not only allow the Thunderbird project more flexibility and agility, but will also allow us to explore offering our users products and services that were not possible under the Mozilla Foundation," said Philipp Kewisch, Mozilla Product Manager. "The move will allow the project to collect revenue through partnerships and non-charitable donations, which in turn can be used to cover the costs of new products and services," Kewisch added. The Firefox browser, Mozilla's primary product, is also managed in a similar manner, through a corporate entity named the Mozilla Corporation, a subsidiary of the Mozilla Foundation. Mozilla almost abandoned Thunderbird a few years back Thunderbird getting its own corporate sub-entity under the Mozilla Foundation is a far cry from the project's past status. The email client almost died in 2012. At the time, Mozilla announced that due to a lack of funding it was stopping development on new Thunderbird features, committing to providing only security updates moving forward. Things hit rock bottom in December 2015 when the Mozilla Foundation announced plans to unload the project to a new entity. In 2016, Mozilla even carried out an audit [PDF] of possible new Thunderbird homes, identifying the Software Freedom Conservancy (manager of Git, BusyBox, Samba, and Wine) and the Document Foundation (managers of the LibreOffice office suite) as possible landing spots. However, the impeding doom of their favorite email client rallied the Thunderbird community. Donations flooded Mozilla throughout 2016 and 2017, and the foundation had a change of heart in May 2017, re-comitting to the project after seeing the community's willingness to provide financial support for the project. "Ultimately, this move to MZLA Technologies Corporation allows the Thunderbird project to hire more easily, act more swiftly, and pursue ideas that were previously not possible," Kewisch said about Thunderbird's new corporate entity. The project re-entered active development in 2017, and has received loads of new features, including a move to a new codebase.The current Thunderbird version is v68. It also recently announced it was adding built-in support for encrypted emails. Source
  7. Following the tradition, developers of Mozilla Firefox and Google Chrome have recently sent cakes to Microsoft after the launch of Chromium-based Edge browser for both Windows and Mac. Sending anniversary cake is a long known tradition-- 14 years to be precise. The cake sent by Google had a message: “Welcome to Chromium!”, while Mozilla's cake read, “bing it on, Microsoft!” Microsoft's Internet Explorer team started the cake-giving tradition back in 2006 when the developer team had sent a cake to Mozilla after the launch of Firefox 2 in 2006. The Internet Explorer team continued to send cakes to Mozilla and when Internet Explorer 10 was launched back in 2012, the Firefox developers sent a big cake to the Microsoft team as a return favour. The new Microsoft Edge is based on Chromium and was released on January 15. It is compatible with all supported versions of Windows, and macOS. Downloading the browser will replace the legacy version of Microsoft Edge on Windows 10 PCs. As far as the reason to launch the Chromium-based Edge browser, Microsoft said, “We adopted the Chromium open source project in the development of the new Microsoft Edge to create better web compatibility for our customers, and less fragmentation of the web for all web developers.” Meanwhile, Google Chrome internet browser is the most popular internet browser globally, however, the German Federal Office for Information Security feels that you should not use Chrome if you are worried about privacy and security. The government agency of Germany had recently rated Mozilla Firefox as the most secure internet browser above Chrome, Edge and Internet Explorer. Having said that the agency did not compare it with Safari, Opera or other browsers. The areas where Chrome, Edge and Internet Browsers failed is lack of support for a master password mechanism along with other issues like there is no built-in update system in Internet Explorer. In all the three browsers, there is no provision to block telemetry collection and lacks in organisational transparency. Source
  8. Has Mozilla created a two-tier add-ons system? "This extension isn't monitored by Mozilla. Make sure you trust the extension before you install it." is displayed on the Firefox Browser add-ons website when users open all but some of the add-on pages on the official repository. About 100 extensions are listed on the official add-ons repository without the notification, and all of these are so-called recommended extensions. Mozilla unveiled the Recommended Extensions program for Firefox in April 2019 officially as a way to highlight and promote certain extensions for the web browser. These extensions undergo rigorous auditing before they are accepted into the program and whenever they are updated, unlike all other extensions, as these are reviewed after they have been made available. Additionally, Mozilla requires that developers show commitment and that the extensions need to offer an "exceptional user experience" and be relevant. Developers get the "recommended extension" stamp in return and their extension promoted on Mozilla's AMO website and also in the Firefox web browser as part of the integrated recommendation program. Firefox users who open the extensions hub on the Mozilla website may browse extensions in multiple ways. Mozilla displays categories at the top and then a list of recommended, top rated, and trending extensions. A click on the last three links lists only extensions that are recommended by Mozilla; the categories link and search list recommended and regular extensions. It is possible to uncheck the option to only display recommended extensions to include regular extensions in the listing of add-ons but users are, for the most part, exposed to recommended extensions first. That's not a bad thing considering that these are of high-quality and audited before they are published. The decision to create the program has an impact on the majority of extensions for the Firefox web browser however. The two main issues are decreased visibility because recommended extensions are displayed exclusively in many of the listings, and the -- rather scary -- warning that Mozilla displays whenever the page of an extension is opened that is not recommended. The latter suggests that there may be a risk involved in installing these extensions. Most Firefox users won't be able to go through the source code of the extension to determine that it is safe to use. Mozilla's "learn more" link that is displayed next to the warning tries to explain the risks of installing non-Recommended extensions. There are thousands of extensions and the vast majority are built with honest intent to provide people with useful tools and features. But even extensions built with the best intentions may inadvertently expose or otherwise compromise sensitive data. Also, unfortunately, there are a few bad actors out there intent on stealing user data. One method of mining information can be through tricking users into installing malicious extensions. (Here are tips for assessing the safety of an extension.) Due to the curated nature of Recommended extensions, each extension undergoes a thorough technical security review to ensure it adheres to Mozilla’s add-on policies. The information, while honest, may sound scary to users and it is quite plausible that a percentage will not install "non-Recommended" extensions because of it. It needs to be noted that Chrome extensions face the exact same risks as non-Recommended extensions for Firefox. Google does not highlight this at all on the Chrome Web Store; Mozilla is open about the potential dangers of extensions for the browser. On the other hand, Mozilla did audit all extensions in the past before they were made available on the Firefox AMO extensions store. Has Mozilla created a two-tier add-ons system? The short answer is yes and the system has very likely an impact on non-recommended extensions on Mozilla AMO and the extensions that Firefox users install. It could reduce the impact that malicious or problematic extensions have but it may also lead to less extensions being developed or maintained for Firefox because of it. Source: Has Mozilla created a two-tier add-ons system? (gHacks - Martin Brinkmann)
  9. Mozilla announces that it will comply with Californian privacy rules worldwide Mozilla has announced that it plans to abide by the new California Consumer Privacy Act (CCPA) on a worldwide scale in the new year, not just for those based in the western U.S. state. For those that haven’t been tracking CCPA, it’s a new law that gives Californians more privacy protections, similar to what Europeans have with the GDPR. The CCPA comes into effect on January 1, 2020. With the CCPA in place, the Attorney General of Califonia is allowed to enforce privacy protections, those in California can also sue companies not handling their data in accordance with the law. Under CCPA, users in California can ask companies what personal information is being collected, gain access to it, update and correct it, delete it, find out who it’s being shared with, and opt-out of its sale to third-parties. In the announcement, Mozilla said it already collects very little data about its users; in an upcoming update, however, Mozilla plans to give users the ability to delete their telemetry data from Mozilla’s servers. In Firefox, telemetry only gives Mozilla general information such as how many tabs were open and how long they’re open for; the company can’t tell what sites you’re on and doesn’t collect any data while you’re in private browsing mode. In the next browser update on January 7, users will be able to find a control to delete their telemetry data. For the time being, this feature sounds as though it will only be available in the desktop version of the browser, but knowing Mozilla, the mobile version will probably gain the feature sooner or later. Source: Mozilla announces that it will comply with Californian privacy rules worldwide (Neowin)
  10. Mozilla revenue dropped in 2018 but it is still doing well Mozilla published the organization's Annual Report for the year 2018 on November 25, 2019. The report, an audited financial statement, provides information on income and expenses in the year 2018. One of the main questions that Firefox users may have had after 2017 was how well Mozilla was doing after it canceled the search deal with Yahoo (which was acquired by Verizon and the main search provider since 2014 when Mozilla picked Yahoo over Google). Mozilla switched from a model in which it selected a single search provider to one that would pick providers based on regions in the world. Instead of just dealing with Yahoo, Mozilla picked companies like Google, Baidu or Yandex and made them the default provider in certain regions of the world. The financial report indicates that the decision reduced the organization's revenue from royalties significantly. Mozilla earned about 539 million US Dollars in royalties in 2017 and only 429 million US Dollars in 2018; a drop of more than 100 million US Dollars. The organization started to work on improving other revenue streams at about the same time and while these increased when compared to 2017, pale in comparison to the income by royalties. Revenue from subscriptions and advertising rose from 2.6 million US Dollars to 5.3 million US Dollars; it doubled and makes up more than 1% of the total revenue of the organization now. The organization acquired the Internet service Pocket in 2017. Expenses increased in 2018 to 451 million US Dollars from 421 million US Dollars in 2017. Mozilla stated that it remains in a strong financial position going forward. Despite the year-over-year change, Mozilla remains in a strong financial position with cash reserves to support continued innovation, partnerships and diversification of the Firefox product lines to fuel its organizational mission. Closing Words Mozilla's revenue dropped by more than 110 million US Dollars in 2018 but the decision to cancel the deal with Yahoo was deliberate. The focus on other revenue streams doubled the revenue from non-search deals and it seems likely that revenue will go up even further in 2019 and beyond. Plans to launch Firefox Premium, VPN services and other Firefox-branded products will certainly increase revenue earned from these streams further. Considering that Mozilla's situation is not perfect, as it depends for the most part on money from its main competitor Google, diversifying revenue is more important than ever. Source: Mozilla revenue dropped in 2018 but it is still doing well (gHacks - Martin Brinkmann)
  11. Mozilla has been heavily invested in WebAssembly with Firefox, and today, the organization teamed up with a few others to form the new Bytecode Alliance, which aims to create "new software foundations, building on standards such as WebAssembly and WebAssembly System Interface (WASI)". Mozilla has teamed up with Intel, Red Hat, and Fastly to found the alliance, but more members are likely to join over time. The goal of the Bytecode Alliance is to create a new runtime environment and language toolchains which are secure, efficient, and modular, while also being available on as many platforms and devices as possible. The technologies being developed by the Bytecode Alliance are based on WebAssembly and WASI, which have been seen as a potential replacement for JavaScript due to more efficient code compiling, and the expanded capabilities of being able to port C and C++ code to the web. To kick things off, the founding members have already contributed a number of open-source technologies to the Bytecode Alliance, including Wasmtime, a lightweight WebAssembly runtime; Lucet, an ahead-of-time compiler; WebAssembly Micro Runtime; and Cranelift. Mozilla's Luke Wagner, who helped create WebAssembly, commented on the formation and prupose of the Bytecode Alliance, expressing hope that the technology will move beyond browsers and offer a new level of security: You can learn more about the Bytecode Alliance here. Source: Mozilla, Intel, and more form the Bytecode Alliance to take WebAssembly beyond browsers (via Neowin)
  12. New TLS protocol extension will shorten the window an attacker has to perform a man-in-the-middle attack. Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF). The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare. HOW TLS DELEGATE CREDENTIALS WORKS For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one. This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires. The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare's infrastructure must upload their TLS private key to Cloudflare's service, which then distributes it to thousands of servers across the world. The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key. The delegated credentials can live up to seven days and can be rotated automatically once they expire. TLS DELEGATED CREDENTIALS SHORTENS MITM ATTACK WINDOW The most important security improvement that comes with this new TLS extension is that if -- in the worst-case scenarios -- an attacker does manage to hack a server, the stolen private key (actually a delegated credential) won't work for more than a few days, rather than weeks, months, or even a year, as it does now. You can read more in-depth technical explanations about the new TLS Delegated Credentials extensions on the Facebook, Mozilla, and Cloudflare blogs. The IETF draft specification is available here. TLS Delegated Credentials will be compatible with the TLS protocol v1.3 and later. Source: Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard (via ZDNet)
  13. Firefox users won't be able to sideload extensions starting March 2020, with Firefox 74. Mozilla has announced today plans to discontinue one of the three methods through which extensions can be installed in Firefox. Starting next year, Firefox users won't be able to install extensions by placing an XPI extension file inside a special folder inside a user's Firefox directory. The method, known as sideloading, was initially created to aid developers of desktop apps. In case they wanted to distribute a Firefox extension with their desktop app, the developers could configure the app's installer to drop a Firefox XPI extension file inside the Firefox browser's folder. SIDELOADING REMOVED BECAUSE OF ABUSE This method has been available to Firefox extension developers since the browser's early days. However, today, Mozilla announced plans to discontinue supporting sideloaded extensions, citing security risks. "Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager," said Caitlin Neiman, Add-ons Community Manager at Mozilla. "This mechanism has also been employed in the past to install malware into Firefox," Neiman said. TWO-PHASE REMOVAL PLAN As a result, Mozilla plans to stop supporting this feature next year in a two-phase plan. The first will take place with the release of Firefox 73 in February 2020. Neiman says Firefox will continue to read sideloaded extensions, but they'll be slowly converted into normal add-ons inside a user's Firefox profile, and made available in the browser's Add-ons section. By March 2020, with the release of Firefox 74, Mozilla plans to completely remove the ability to sideload an extension. By that point, Mozilla hopes that all sideloaded extensions will be moved inside users' Add-ons section. Through the move, Mozilla also hopes to help clean up some Firefox installations where malware authors were secretly sideloading extensions behind users' backs. Since these extensions will now show up in the Add-ons sections, users will be able to remove any extensions they don't need or don't remember installing. TWO METHODS OF LOADING EXTENSIONS REMAIN Further, Mozilla's blog post on the matter today also serves as a notice for extension developers, who will have to update their extensions and make them available through another installation mechanism. There are currently two other ways through which developers can distribute extensions, and through which users can install them. The first and the most widely known is by installing extensions from the official addons.mozilla.org (AMO) portal. Extensions listed here are verified by Mozilla, so most are relatively safe, albeit the security checks aren't 100% sure to catch all malicious code. The second involves using the "Install Add-on From File" option in Firefox's Add-ons section. Users have to manually download a Firefox XPI extension file, visit the Add-ons section, and then use the "Install Add-on From File" option to load the extension in their browser. This option is usually employed for loading extensions that have to handle sensitive corporate data inside enterprise environments, and can't be distributed via the AMO portal. There was also a fourth method of loading extensions inside Firefox, but this was removed in September 2018, with the release of Firefox 62. This involved modifying Windows Registry keys to load custom extensions with Firefox installations. This, too, was abused by malware devs, and Mozilla decided to remove it. Source: Mozilla to stop supporting sideloaded extensions in Firefox (via ZDNet)
  14. Karlston

    Mozilla about to launch VPN beta

    Mozilla about to launch VPN beta Mozilla, maker of the Firefox web browser, will launch the first beta of its upcoming VPN service in the coming weeks. The organization launched Firefox Private Network in September 2019 which added a browser proxy to the web browser. Available only for users from the United States at the time, it resembled the VPN feature of the Opera web browser and third-party VPN extensions the most. Firefox Private Network protects user data by encrypting it and masking the IP address of the connection at the same time. Mozilla picked Cloudflare as its partner for the service; Firefox users get connected to the nearest Cloudflare data center when they activate Private Network in the web browser. The initial solution lacked several important features: there was no option to select a different region/server to connect to, and no information about the connection among other things. Mozilla revealed the next steps of the project in a new announcement on the official Firefox Private Network site. A version of Private Network will still be free As one of our beta testers, you’ll automatically be converted to a new version of Firefox Private Network. This offers all the same benefits as before, but for a limited amount of time each month. You’ll get 12 hours of Private Network in the form of four three-hour passes. Next time you’re on public Wi-Fi, turn on Private Network to claim one of your passes. Once you validate a pass, it runs without stopping for three hours. You’ll get four new passes at the beginning of every month. For unlimited access, you have the opportunity to join our invite-only VPN beta We’re nearly ready to invite our beta testers to try out Firefox Private Network full-device protection. You can join the waitlist right now — before we open it up to the public. This invite-only VPN beta will protect your entire device and offers the option to switch between servers in 39 countries. Thanks again for participating in the Firefox Private Network beta. You’re helping us build products that put people and their privacy first. The organization plans to move to a new beta phase with two main changes: Private Network will remain free to use but it will be limited. Launch of the VPN service that runs on the device-level. Firefox Private Network beta testers will automatically be migrated to the new version of the solution once it becomes available. The free version of the solution limits the amount of time that users of the network have each month. Mozilla plans to provide users with four three-hour passes per month that they may use. The passes run non-stop for three hours without option to split the time between different periods. The upcoming VPN service takes the service to the next level. It runs on the device just like any other VPN service, e.g. NordVPN or Private Internet Access. Mozilla revealed little about it in the announcement. In fact, the only information that the organization revealed is that it will feature servers in 39 countries. The invite-only beta will launch in the coming weeks and since everything is labeled beta, subject to change. Closing Words Private Network and the upcoming VPN service are beta products at this time and therefore subject to change. Information is scarce at this point; we don't know if Mozilla will operate the VPN on its own (unlikely) or have a partner (likely), how much it will cost when it comes out, and what features it will bring along with it. It seems likely that Mozilla will maintain both products: Private Network as an in-browser solution with a free option and the VPN as a device-wide solution for users who want to protect all Internet traffic. I'm not a fan of the three-hour long passes of Private Network as they are not very flexible. While these may work in some cases, they lack flexibility as you cannot really use them for quickly checking emails on the airport as you'd waste a full pass that way. Source: Mozilla about to launch VPN beta (gHacks - Martin Brinkmann) If you like this post, then this post.
  15. Mozilla cleans up Firefox to cut risk of code injection attacks and deter use of a dangerous JavaScript function. Firefox-maker Mozilla has detailed its recent efforts to harden the browser against code injection attacks. That hardening work has focused on removing "potentially dangerous artifacts" in the Firefox codebase, including inline scripts and eval()-like functions, according to Mozilla's content security lead Christoph Kerschbaumer. The removal of inline scripts is meant to improve protection for Firefox's 'about' protocol, more commonly known as about: pages. There are dozens of these about: pages, which allow users to do things like display networking information, see how the browser is configured, and view installed plug-ins. Mozilla had some concerns that attackers could use code injection attacks to abuse the about:config page, which "exposes an API to inspect and update preferences and settings, which allows Firefox users to tailor their Firefox instance to their specific needs", Kerschbaumer explains. These about: pages are written in HTML and JavaScript and therefore share the same security model as normal web pages, which are also vulnerable to code injection attacks. An attacker could inject code into that about: page and then change the browser's configuration settings, for example. The two-part response to this security risk was to rewrite all inline event handlers and move all inline JavaScript code to "packaged files" for all 45 of the about: pages. Second, Mozilla set a "strong" Content Security Policy to ensure that injected JavaScript code does not execute. Now JavaScript code will only execute when loaded from a packaged resource using the internal chrome: protocol. "Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks," notes Kerschbaumer. Another hardening effort addresses the eval() function in JavaScript, which Mozilla describes as a "dangerous function" and warns web developers never to use. "Eval() is a dangerous function, which executes the code it's passed with the privileges of the caller," Mozilla explains in developer support notes. "If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension. More importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible." Kerschbaumer describes the function as a "powerful yet dangerous tool" that introduces "significant attack surface for code injection, and we discourage its use in favor of safer alternatives". "We rewrote all use of 'eval()'-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of 'eval()' and its relatives in system-privileged script contexts," he notes. The purpose of this measure is to reduce the attack surface in Firefox and further discourage the function's use. Source
  16. A Controversial Plan to Encrypt More of the Internet The road to routing all Domain Name System lookups through HTTPS is pocked with disagreements over just how much it will help. ILLUSTRATION: ELENA LACEY; GETTY IMAGES The security community generally agrees on the importance of encrypting private data: Add a passcode to your smartphone. Use a secure messaging app like Signal. Adopt HTTPS web encryption. But a new movement to encrypt a fundamental internet mechanism, promoted by browser heavyweights like Google Chrome and Mozilla's Firefox, has sparked a heated controversy. The changes center around the Domain Name System, a decentralized directory that acts essentially as the internet's address book. When you send data to or request it from a server, a DNS lookup ensures that it goes to and comes from the right place. Google and Mozilla plan to encrypt those interactions sometime this year. Which sounds straightforward enough—but not everyone is convinced that the shift solves more problems than it potentially creates. Reach For My Resolver The concept of DNS was developed in the mid-1980s, and hasn't evolved much since the early 1990s. Like many foundational internet protocols, DNS has been remarkably flexible and serviceable over the years. But having roots that predate the rise of the modern internet has led to inevitable problems, one of which is that those address lookups aren't encrypted. That’s a big deal. Any time your browser attempts a DNS lookup, that request can pass across multiple servers. Your internet service provider, lurking government snoops, and just anyone on the same Wi-Fi network can see what websites you visit, even if they can't see what you do once you actually load the sites. It gets even worse. Since DNS requests are unencrypted, bad actors can manipulate them to strategically send you to the wrong website. It’s like listing your address under someone else's name, and getting all their packages delivered to your house. This type of attack, known as DNS hijacking, has been on the rise; in January, the Department of Homeland Security even issued an emergency directive about the threat. "Yeah it’s going to be work, but that’s fine, just do the work." Matthew Prince, Cloudflare Which explains the push for encrypted DNS: It would make those types of surveillance and misdirection much harder. The Internet Engineering Task Force standards body has already codified a few different methods for implementing it, namely “DNS over HTTPS” (DoH) and “DNS over TLS” (DoT). Both protocols apply ubiquitous web encryption to DNS requests. The two standards are very similar, except DoT separates encrypted DNS traffic into its own recognizable channel (an attribute network defenders largely prefer), while DoH intermingles encrypted DNS traffic with general HTTPS encrypted web traffic so they're indistinguishable (an additional privacy benefit to some). Each approach has its pros and cons, but both Mozilla and Google have elected to go with DoH in their browsers. No matter which version you choose, though, adding a layer of encryption to DNS requires some systemic rejiggering. It's like writing down your order at a restaurant, locking it in a small safe, and then handing the safe to the waiter to take back to the kitchen. You won't give away any personal information about your culinary preferences, but you also won't get the right meal. To get around this complication, secure DNS protocols rely on intermediaries called "resolvers," which can still see the requests unencrypted as they come through. Mozilla has piloted its encrypted DNS with the internet infrastructure company Cloudflare acting as the main resolver. Cloudflare has already been offering encrypted DNS with a service called for more than a year. Mozilla chose the company because it pledged to delete all DNS logs after 24 hours, never share data with third parties, and submit to audits to confirm that data is really being deleted. But users can set Firefox to default to any resolver that supports DoH. Similarly, Chrome is starting out by offering DoH with six resolvers, including Cloudflare and Google itself. That centralization of DNS requests worries detractors. Unlike end-to-end encrypted messaging, in which only you and the person you’re talking to can read the messages on each of your devices, encrypted DNS doesn’t quite succeed at boxing everyone out. It cuts telecoms and governments out of the equation in one way, but introduces new tech giants and third parties in another. "I would love it if there were 100 other encrypted DNS providers that customers could choose from," says Cloudflare CEO Matthew Prince. "We think that would be great. I get that there being a limited set of choices doesn’t feel good. But there's nothing proprietary about this. You can download open source software and run this today." The pro-privacy Electronic Frontier Foundation has acknowledged the concerns about consolidating DNS with so few resolvers, but recently suggested that the potential privacy benefits are worth the downside so long as more entities get into the space. Specifically, EFF called on internet service providers to start acting as encrypted DNS resolvers themselves. Ideally, this would involve getting ISPs to sign on to strict privacy protections like those Cloudflare has promised to adhere to as part of the process of adding support for DoH. That may not happen anytime soon, though. And even if it did, you can see how it would be difficult in practice to get entities already making money off of mining DNS data to really change their ways. A consortium of telecommunications trade associations wrote a letter to Congress in September opposing encrypted DNS and calling Google anti-competitive for starting to support it in Chrome. This argument seems specious at best, given that Chrome will be able to use a number of resolvers, not just Google’s. The overall effort, though, reflects how invested ISPs are in protecting their access to DNS data, seemingly so they can mine it to fuel targeted advertising. ISPs do also use insight into DNS requests to offer services like content filtering for children. House of Representatives investigators are currently assessing the letter’s claims. Safety First The ranks of DoH opponents aren't filled only with self-interested corporations. Cybersecurity professionals argue that encrypting DNS requests will make it harder to spot intrusions and malware on their networks, without truly giving web users a more private experience. Meanwhile, encrypted DNS advocates say that these concerns are overblown, especially for large companies that can just set up their own encrypted DNS resolver to access local traffic as before—although those measures aren’t necessarily feasible for the majority of organizations. “There are real operational and security implications of both DoH and DoT,” says Roland Dobbins, a principal engineer at Netscout Arbor. “Everyone needs to consider that things like identifying compromised devices and defending DNS infrastructure from DDoS attacks could become much more complex and costly.” DDoS attacks on DNS servers can have very real consequences. For example, a massive 2016 assault on the DNS provider Dyn caused widespread connectivity outages on the East Coast of the United States and around the country. "We're just trading who can potentially track us." Jake Williams, Rendition Infosec Researchers have already spotted malware built to evade detection by connecting to command and control servers using encrypted DNS requests. And another major concern is that if hackers were to compromise a trusted DNS resolver, they would be able to pull off devastating DNS hijacking attacks that wouldn't be detectable to the outside world. A similar issue already exists when hackers compromise the “certificate authorities” that underpin general HTTPS web encryption. Firefox and Chrome are still in the experimental phases of testing encrypted DNS, so most of your connections likely won't take advantage of it for now anyway, and there are still ways to opt out of using it at all. But as with the push to get websites to adopt HTTPS encryption, encrypted DNS will likely move forward now if Chrome and Firefox find that the change doesn’t have too much of an impact on speed or reliability for users. “Yeah it’s going to be work, but that’s fine, just do the work,” says Cloudflare’s Prince. “I’m astonished how political this has been. It makes me uncomfortable that every coffee shop I’m going to knows every site that I’m visiting. It seems like it’s a no brainer to be adding encryption. Let’s just do it!” For the average person, encrypted DNS will offer valuable privacy protections against ISPs and other entities that are hungry for user data. Even so, analysts caution that potentially risky web browsing should still take place with sturdier protections, like a VPN or the anonymity service Tor. Critics of DNS over HTTPS do recognize the irony of pushing for less encryption out of a desire to protect people when the security and cryptography communities overall take a hard line against law enforcement on the value of encrypted communication platforms free of backdoors. But the difference, they say, is that end-to-end encryption or encryption at rest cuts everyone out except the data's owners, while DNS encryption only shifts trust. “From an enterprise standpoint, DNS monitoring is critical to ensuring security. Losing the visibility into DNS is tremendous operational loss and will help attackers more than it ensures privacy,” says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. “As long as you trust resolvers like Cloudflare, then there's no issue. And I personally trust Cloudflare, but others may not. We're just trading who can potentially track us.” Vulnerable web users who've never given any of this a second thought—and don't even know what DNS is—would probably say, though, that they'll take whatever they can get. Source: A Controversial Plan to Encrypt More of the Internet
  17. Mozilla Developer has a new YouTube Channel where you will find videos to help you do your job as a web designer, developer, or person involved making websites or web apps. Both these short videos come from Jen Simmons and introduce helpful Firefox Developer Tools. Subscribe to the YouTube channel to be notified of new content. The new video channel was launched with the following three videos in its about:web playlist. Announcing these video shorts as part of a wider initiative, Miriam Suzanne, who presents two of them, writes: We’re excited to launch a new resource for people who build the web! It will include short videos, articles, demos, and tools that teach web technologies and standards, browser tools, compatibility, and more. No matter your experience level or job description, we’re all working together towards the future health of the web, and Mozilla is here to help. A second playlist is on Firefox browser tools for web professionals. It started with just one video in which Jen Simmons shows devs how to access a handy third-panel in the Firefox Developer Tools, and toggle print preview mode, but has already had two new additions. Thanks Mozilla. More Information Video Shorts from Mozilla Developer Mozilla Developer YouTube Channel Source
  18. Funding online content with small consumer payments rather than intrusive and privacy-compromising ads has for years been a goal for many internet theorists and publishers. “We’re at a point where it’s clear there’s kinds of negative side effects for people and even for democracy of the data-driven ad economy that funds the internet,” says Mark Surman, executive director of the Mozilla Foundation. Now, Mozilla, Creative Commons, and a new micropayment startup have announced a $100 million grant program to finally bring that dream to fruition. The program, called Grant for the Web, will give roughly $20 million per year for five years to content sites, open source infrastructure developers, and others building around Web Monetization, a proposed browser standard for micropayments. “When we started Coil, Coil was essentially the first Web Monetization provider,” says founder and CEO Stefan Thomas. Coil users pay a fixed monthly fee that’s distributed among sites they visit that have Web Monetization enabled, such as the web development site CSS-Tricks, based on how long they visit the sites. The underlying technology supports other providers routing user funding as well. The organizations behind Grant for the Web are setting up an advisory council to determine exactly how the grant money should be paid out. Surman says he’s hopeful the project can help create a web economy with more room for smaller players and publishers. “That’s one of the big dreams that we have with the other partners around the Grant for the Web, [that] we can get back to a place where the small guy really has a chance to make it on the web,” he says. Funding for the grants comes chiefly from a grant Coil itself received from Ripple, the cryptocurrency and money transfer company, says Thomas, who was previously Ripple’s CTO. “This is actually where we got very, very fortunate,” he says. “Most of the time when you’re promoting an open standard, you don’t get to reward people or you don’t get to fund it in that way.” They aim to give at least 50% of the funds to organizations using open licenses like Creative Commons licenses, Thomas says. “The business models of the web are broken and toxic, and we need to identify new ways to support creators and to reward creativity,” says Ryan Merkley, CEO of Creative Commons, in a statement. “Creative Commons is unlikely to invent these solutions on its own, but we can partner with good community actors who want to build things that are in line with our values. Creators have told us through our own user research that gratitude is a core element of why they choose to share their work, and micropayments may be an excellent way to display that gratitude.” Source
  19. Despite looking to make DNS-over-HTTPS (DoH) the default for its American users, Mozilla has assured culture secretary Nicky Morgan that this won't be the case in the UK. DoH has been fairly controversial, with the Internet Services Providers Association (ISPAUK) nominating Mozilla for an 'Internet Villain' over the whole thing, saying it will "bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." In his letter to Morgan, Mozilla vice president of global policy, trust and security, Alan Davidson, stressed that the company “has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders”. He did add that Mozilla does "strongly believe that DoH would offer real security benefits to UK citizens. The DNS is one of the oldest parts of the internet’s architecture, and remains largely untouched by efforts to make the web more secure. "Because current DNS requests are unencrypted, the road that connects your citizens to their online destination is still open and used by bad actors looking to violate user privacy, attack communications, and spy on browsing activity. People’s most personal information, such as their health-related data, can be tracked, collected, leaked and used against people’s best interest. Your citizens deserve to be protected from that threat.” Whilst safety is an issue, it has to be balanced with privacy, and walking the line between freedom and forms of censorship is never easy. The sexual abuse and exploitation of children is often cited in this debate, with a government spokesperson stating that it's "an abhorrent crime that this Government is committed to tackling," and one of the measures is blocking certain websites that DoH would allow users to circumvent. “While we look to support security and privacy online, it is vital that all sectors of the digital industry consider child safety when developing their systems and services. We are working with industry on solutions to any potential problems as part of our ongoing work to make the UK the safest place in the world to be online," they said. Source
  20. Mozilla won't follow Google in limiting APIs in coming Extensions Manifest v3 Google revealed some time ago that it was working on a new Extensions Manifest file for the Chrome web browser. The company published an early draft of the Manifest v3 file and it turned out that some extension developers were not particularly happy with some of the changes. Developers spoke out against some of the planned changes as it could be the end for content blockers such as uBlock Origin and others. Google wanted to limit an API that content blockers and other extensions were using for the blocking and replace it with another API that had severe limitations. Google changed some parameters in an updated version of the draft in June but planned to launch the change in development versions of Chrome in 2019. One question that many users had was whether other browser developers would follow Google's implementation. Browsers based on Chromium share code with Google and if Google would implement the changes, would need work to make changes to the code. Most browser makers, Vivaldi, Brave or Opera, have stated openly that they would find ways to lift these changes in one way or another. Mozilla, the organization behind Firefox, is not based on Chromium but the extension system that Firefox uses is designed to be compatible for the most part with Chrome to make it easier for developers to develop extensions for both browsers. The organization published an official statement on of the Mozilla Blog today to clarify its stance on the upcoming Manifest v3 APIs. Most important from a user perspective is that Mozilla won't remove the API that content blockers use today from Firefox. Mozilla uses remove in the context whereas Google plans to alter it so that it becomes read-only; while not entirely clear, I think that Mozilla's statement means that it won't touch the API for now. We have no immediate plans to remove blocking webRequest and are working with add-on developers to gain a better understanding of how they use the APIs in question to help determine how to best support them. Note that Mozilla uses the term "no immediate plans" which means that the organization won't close that door completely. Mozilla plans to implement some of the other changes that Google plans to make. You can read about those on the Mozilla Blog. Manifest v3 has not been published as a final version and it is too early to tell how this will play out in the long run. Will Google make the changes necessary for content blockers to run effectively on Chrome? If that is the case, it is quite possible that Mozilla would follow Google's implementation after all in this regard. If Google plays hardball, the company relies on advertising revenue after all, it seems more likely that Mozilla won't follow Google's implementation to the letter or at all. Mozilla wants to work with extension developers; that is a good sign. Source: Mozilla won't follow Google in limiting APIs in coming Extensions Manifest v3 (gHacks - Martin Brinkmann)
  21. Mozilla revealed plans today to remove so-called legacy add-ons from the organization's repository site for extensions Mozilla AMO. Mozilla AMO hosts legacy add-ons and WebExtensions currently; going forward, Mozilla wants to purge legacy add-ons from the site as those are no longer compatible with any supported version of the Firefox web browser. Legacy add-ons is a broad term that refers to extensions, themes, and other content that is no longer supported by recent versions of the Firefox web browser. Mozilla switched from the classic add-ons system for Firefox to a system that is based on WebExtensions with the release of Firefox 57. Currently, Firefox ESR 52.x is the only supported version of the Firefox web browser that supports legacy add-ons. All other Firefox versions that Mozilla supports, be it Stable, Beta, or Nightly, support only WebExtensions. With no supported version of Firefox still supporting legacy add-ons, Mozilla will remove these extensions from the site to streamline it. Third-party browsers based on Firefox code may continue to support Firefox legacy add-ons, and some users of Firefox made the decision to block browser updates to avoid having legacy add-ons disabled automatically by new versions of the browser. The timeline the organization published today is as follows: September 6, 2018 -- Submissions for new legacy add-on versions are disabled. Mozilla does not accept submissions for new add-ons that use legacy add-on systems already. The change affects extension updates. Early October 2018 -- All legacy add-ons are disabled. Disabled means that they won't show up anymore on Mozilla AMO but are still available in the backend. Since the extensions are still listed on AMO, add-on developers may publish updates that transform their legacy add-ons into WebExtensions. The extensions would get published on the add-ons store again when that happens and users who had these installed -- and not removed yet -- will receive the updates so that they can use the extension once again. Attempts are underway to preserve the classic add-ons archive. These projects have about six weeks to create an archive of all legacy add-ons still available on Mozilla AMO to preserve it. Statistics about the purging would be interesting; how many legacy add-ons, separated into extensions and themes, are removed in October 2018, and how many WebExtensions remain in Store. Closing Words The removal of legacy add-ons from Mozilla Add-ons marks an end of an era. While some long standing extensions have been migrated to WebExtensions, lots of extensions were not for a variety of reasons. Some are abandoned, others can't be ported because the provided APIs don't allow certain functionality, and some extension developers may have decided not to port their extensions. Whatever the reason, the removal marks the end of extensions such as Classic Theme Restorer, DownThemAll, ChatZilla or FirefFTP, and all full themes released for the web browser. It makes sense from Mozilla's perspective to hide these add-ons from Mozilla AMO to avoid user confusion; still, a part of web history and Firefox's history is removed by the move. Related articles How to find replacements for Firefox legacy add-ons How to move Firefox legacy extensions to another browser Source Update from Waterfox Author:
  22. WASHINGTON (Reuters) - Firefox browser maker Mozilla is blocking the United Arab Emirates’ government from serving as one of its internet security gatekeepers, citing Reuters reports on a UAE cyber espionage program. Mozilla said in a statement on Tuesday it was rejecting the UAE’s bid to become a globally recognized internet security watchdog, empowered to certify the safety of websites for Firefox users. Mozilla said it made the decision because cybersecurity firm DarkMatter would have administered the gatekeeper role and it had been linked by Reuters and other reports to a state-run hacking program. Reuters reported in January that Abu Dhabi-based DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter’s headquarters. The program’s operations included hacking into the internet accounts of human rights activists, journalists and officials from rival governments, Reuters found. DarkMatter has denied being connected to offensive hacking operations, saying the reports of its involvement were based on “false, defamatory, and unsubstantiated statements.” The UAE embassy in Washington and DarkMatter did not respond to a request for comment on Tuesday. ‘CREDIBLE EVIDENCE’ Selena Deckelmann, Mozilla’s senior director of engineering, said the reports from Reuters, as well as the New York Times and the Intercept, had made the browser company fear that DarkMatter would use the role of internet security gatekeeper to launch surveillance efforts. Mozilla concluded “that placing our trust in DarkMatter and disregarding credible evidence would put both the web and users at risk,” Deckelmann told Reuters. Websites seeking designation as safe by internet browsers have to be certified by an outside organization, which will confirm their identity and vouch for their security. The certifying organization also helps secure the connection between an approved website and its users, promising traffic will not be intercepted. But if a surveillance group gained that authority, it could certify fake websites impersonating banks or email services, allowing hackers to intercept user data, security experts say. Organizations that want to obtain certifying authority must apply to browser makers like Mozilla and Microsoft. Most of the certifying organizations are independent, private companies. Browsers like Firefox allow websites to obtain certification from any approved authority anywhere in the world. But many countries, including China, the United States and Germany also have government-approved organizations in the role. DarkMatter executives have argued that rejection of the UAE bid to become a certifying body would be a “dystopian” policy by Mozilla “against sovereign nations deemed not worthy of operating their own national certificates.” GROWING FEARS In 2017, DarkMatter applied on behalf of the UAE government for certificate authority. The company also applied to Mozilla to become a commercial certifier in its own right. Following Reuters reports earlier this year, Mozilla executives began to fear that DarkMatter could use the authority to spy on users, a Mozilla executive said in the company’s public online forum. Mozilla executives said rejecting an applicant on the basis of media reports was unprecedented. In past cases, Mozilla primarily relied on technical evidence to determine certification authority. In Mozilla’s public discussion boards, DarkMatter executives and some security experts warned that relying on news articles to decide who can become a certificate authority would permanently taint the process with bias. Mozilla’s stated concerns showed “a hidden organizational animus that is fatal to the idea of ‘due process’ and ‘fundamental fairness,’” Benjamin Gabriel, general counsel for DarkMatter, wrote in the online forum. In May, a DarkMatter executive said the company would move its certificate business to a new entity called DigitalTrust. That company would be controlled by a firm called DM Investments, which is owned by DarkMatter founder Faisal Al Bannai. “This ownership structure does not assure me that these companies have the ability to operate independently, regardless of their names and legal structure,” said Wayne Thayer, Mozilla’s certification authority program manager, in his announcement on Tuesday. Along with rejecting the UAE’s application, Mozilla said it would block several other separate bids by DarkMatter to become a commercial certificate provider. Mozilla also said it would mark as unsafe the more than 275 websites DarkMatter had already certified under an earlier provisional authority that the company gained in 2017. Mozilla noted that another UAE government entity called the Dubai Electronic Security Center still had a pending application to become a certificate authority, on which Mozilla had not yet made a decision. While each browser company makes its own decisions about who it allows to become a certifying authority, Mozilla is seen as a leader in this area. Security experts say competitors, such as Google’s Chrome browser and Apple’s Safari browser, tend to follow its lead. Thayer said in his announcement that even without a smoking gun that showed DarkMatter had misused certificates, the risks demonstrated by the reports were too great. “While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users,” he said. Source
  23. Mozilla starts test of subscription-based ad-free Internet experience Mozilla launched a new subscription-based service today in partnership with Scroll.com that gives subscribers an ad-free reading experience on participating news sites. Some might say that they get an ad-free experience already thanks to the content blocker that they are using, and that may very well be the case for sites that don't use paywalls or other means of blocking Internet users with ad-blockers from accessing the sites. The idea behind the new service is simple: make sure that site owners and users benefit from an ad-free Internet. Many Internet sites rely on advertisement revenue. Content blockers on the other hand remove ads which is beneficial to the user, but they don't address the revenue issue that arises. You could say that it is not the task of the content blocker to make sure that a site survives, and that is true, but as a user, you may be interested in keeping some sites alive. With Scroll, users would pay a monthly subscription fee to support participating sites. The details are a bit blurry right now. The First Look page is up and it provides some information. According to it, a subscription will cost $4.99 per month but you don't get to see a list of participating sites right now. A click on subscribe leads to a survey and and that sign-ups are limited at the time. Scroll lists some of its partners, and it is a selection of major sites such as Slate, The Atlantic, Gizmodo, Vox, or The Verge. The participating companies receive subscription money instead of advertising revenue. How the subscription money is split up is unclear and there is no information on Scroll's website about how the money is divided among the participating companies. Will participating publishers get their share based on activity or is it a flat fee instead? Mozilla and Scroll will likely get a cut as well. Subscribers get a handful of other benefits besides supporting sites and accessing these sites without seeing any advertisement: from a seamless experience between mobile and desktop devices to audio versions of articles, and a special app that highlights new content without advertising. Closing Words The idea to get Internet users to pay a small amount of money to get rid of advertisement is not entirely new. The test that Mozilla plans to conduct is very limited at the time, only a handful of publishers support it and while that makes for a good start, it is hard to imagine that this is attractive enough to get a sustainable number of users to sign up. It may be an option for Internet users who are a regular on one or multiple of the sites that joined the experiment, and it may be better than having to deal with sites individually instead. Then again, unless Scroll supports lots of sites, I cannot really see this go far unless the service opens its door for all publishers and reveals how business is conducted. The chance of success is certainly higher with a partner like Mozilla. Source: Mozilla starts test of subscription-based ad-free Internet experience (gHacks - Martin Brinkmann)
  24. The current Firefox for Android browser is feature-packed, with tons of security features and support for extensions, but it has never quite matched the performance that Chrome offers. Mozilla has spent the past few months working on a brand new browser for mobile, nicknamed 'Fenix,' and now it has entered public beta. The new Firefox for Android has already been publicly available for a few months, under the name 'Firefox Preview.' Mozilla says the browser is up to twice as fast as the current Firefox for Android, and it offers protection against tracking scripts by default. The interface has been completely revamped, with a bottom address bar and a 'Collections' feature for organizing sites. And yes, it has a dark mode. Under the hood, the new version uses GeckoView, a modified version of Firefox's desktop rendering engine designed to be easily embedded (similar to how Android apps can use embedded instances of Chrome). The company said, "Building Firefox for Android on GeckoView also results in greater flexibility in terms of the types of privacy and security features we can offer our mobile users. With GeckoView we have the ability to develop faster, more secure and more user friendly browsers that deliver unprecedented performance." Extension support is not yet present, but the developers told us that it is being worked on. Mozilla hopes to replace the current version of Firefox with the new browser sometime this fall. As we covered previously, the current Firefox for Android will enter maintenance mode next month and won't receive any new features. Development of Firefox Focus is also being put on hold. You can try out Firefox Preview from this link . Source
  25. Mozilla takes swipe at Chrome with 'Track THIS' project Mozilla is pushing Firefox's latest (and long-delayed) anti-ad tracking efforts, saying it protects user privacy better than Google's Chrome. Magdalena Petrova/IDG Mozilla this week touted Firefox's anti-ad tracking talents by urging users of other browsers to load 100 tabs to trick those trackers into offering goods and services suitable for someone in the 1%, an end-times devotee and other archetypes. Tagged as "Track THIS," the only-semi-tongue-in-cheek project lets users select from four personas - including "hypebeast," "filthy rich," "doomsday prepper," and "influencer" - for illustrative purposes. Track THIS then opens 100 tabs "to fool trackers into thinking you're someone else." Mozilla Track THIS offers four personas – including an end-times zealot – to demonstrate how ad trackers follow users' web wanderings, then customize the ads they see based on where they've been and what they've looked at. The project is part of Mozilla's effort to establish Firefox as the go-to browser on privacy. If it works, the browser will start showing online ads for products the trackers' algorithms believe will be attractive to that persona. "It's really just throwing off brands who want to advertise to a very specific type of person," Mozilla wrote in a June 25 post to one of its blogs. Depending on the agility of the trackers, the products chosen may revert to ones that hit closer to home, Mozilla warned. "Your ads will probably only be impacted for a few days, but ad trackers are pretty sophisticated. They could start reflecting your normal browsing habits sooner than that," the company said. Computerworld donned the mask of a pretend prepper to gauge Track THIS's effectiveness in Chrome on a Mac. (Computerworld also tried Safari, but its "Intelligent Tracking Protection" stymied the impact of the 100 tabs.) Among the 100 tabs were pages at amazon.com shilling 36,000-calorie buckets of bulk meals, water filters and purification pills, "bug-out" bags and the like; sites strutting television programs including "Ancient Aliens" (History Channel); places to purchase hazmat suits; and articles from survivalist websites such as primalsurvivor.net and theprepared.com. Mozilla After running Mozilla's 'Track THIS' project on Chrome – and opening 100 tabs designed to spoof a doomsday prepper – the browser started showing ads for disaster-related products. Subsequent ventures onto the Web with Chrome immediately revealed a change in ads. A visit to slate.com, for example, showed ads for camouflage jackets, while a trip to nbcsports.com boasted a banner ad that read, "You only get once [sic] chance to save your family" and led to wisefoodstorage.com where ad copy asserted "Don't face your next emergency on an empty stomach." The whole purpose of Track THIS was, as Mozilla acknowledged, to publicize Firefox's anti-tracking features. At the end of its blog post, after instructions on how to use Track THIS, Mozilla went into pitch mode. "When you're done with the experiment, get Firefox with Enhanced Tracking Protection [ETP] to block third-party tracking cookies by default." Mozilla has long trumpeted Firefox's down-with-trackers abilities. Originally called just "Tracking Protection" and restricted to Firefox's private browsing mode, the technology blocked a range of content - not just online advertisements but also in-page trackers that sites or ad networks used to follow people around the web. Later, in November 2017, with Firefox 57, aka "Quantum," Mozilla expanded Tracking Protection to cover non-private browsing. Problems persisted, however, with sites often breaking when trackers were struck out. By October 2018's Firefox 63, Mozilla claimed it had tamed site breakage, and added "Enhanced" to the name. Originally, ETP was off by default in Firefox 63, but Mozilla said it would switch it to on-by-default two versions later, in January. But ultimately, the company needed more testing time. Mozilla finally began to roll out on-by-default ETP with Firefox 67.0.1, a June 4 update. The stratagem seemed aimed squarely at Chrome, the world's most popular browser, which accounted for 68% of all browsing activity last month, accord to analytics vendor Net Applications. Of the top four browsers - Chrome, Firefox, Safari, and Microsoft's Edge/Internet Explorer duo - Chrome and Microsoft's lacked integrated anti-tracking tools. And while Firefox's user share has remained mire in the single digits, Mozilla's drumbeat on privacy has been heard by some. Last week, the Washington Post ran a piece titled "Goodbye, Chrome: Google's web browser has become spy software" and stuck it near the top of its website, where it remained for hours. "Seen from the inside, [Google's] Chrome browser looks a lot like surveillance software," argued the newspaper's technology columnist, Geoffrey Fowler. "Having the world's biggest advertising company make the most popular web browser was about as smart as letting kids run a candy shop. It made me decide to ditch Chrome for a new version of nonprofit Mozilla's Firefox, which has default privacy protections." Source: Mozilla takes swipe at Chrome with 'Track THIS' projec (Computerworld - Gregg Keizer)
  • Create New...