Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Debian

Mozilla Thunderbird Finally Makes Its Way Back Into Debian's Repos (softpedia.com) 47

prisoninmate quotes a report from Softpedia: A year ago, we told you that, after ten long years, the Debian Project finally found a way to switch their rebranded Iceweasel web browser back to Mozilla Firefox, both the ESR (Extended Support Release) and normal versions, but one question remained: what about the Mozilla Thunderbird email, news, and calendar client? Well, that question has an official answer today, as the Mozilla Thunderbird packages appear to have landed in the Debian repositories as a replacement for Icedove, the rebranded version that Debian Project was forced to use for more than ten years due to trademark issues. "Thunderbird is back in Debian! We also renamed other related packages to use official names, e.g. iceowl-extension -> lightning. For now, we need testers to catch existing issues and things we haven't seen until now," said Christoph Goehre in the mailing list announcement. You can find out how to migrate your Icedove profiles to Thunderbird via Softpedia's report.
Mozilla

Mozilla Will Deprecate XUL Add-ons Before the End of 2017 221

Artem Tashkinov writes: Mozilla has published a plan of add-ons deprecation in future Firefox releases. Firefox 53 will run in multi process mode by default for all users with some exceptions. Most add ons will continue to function, however certain add ons have already ceased to function because they don't expect multi user mode under the hood. Firefox 54-56 will introduce even more changes which will ultimately break even more addons. Firefox 57, which will be preliminarily released on the 28th of Novermber, 2017, will only run WebExtensions: which means no XUL (overlay) add ons, no bootstrapped extensions, no SDK extensions and no Embedded WebExtensions. In other words by this date the chromification of Firefox will have been completed. If you depend on XUL add ons your only choice past this date will be Pale Moon.
Netscape

Mozilla To Drop Support For All NPAPI Plugins In Firefox 52 Except Flash (bleepingcomputer.com) 163

The Netscape Plugins API is "an ancient plugins infrastructure inherited from the old Netscape browser on which Mozilla built Firefox," according to Bleeping Computer. But now an anonymous reader writes: Starting March 7, when Mozilla is scheduled to release Firefox 52, all plugins built on the old NPAPI technology will stop working in Firefox, except for Flash, which Mozilla plans to support for a few more versions. This means technologies such as Java, Silverlight, and various audio and video codecs won't work on Firefox.

These plugins once helped the web move forward, but as time advanced, the Internet's standards groups developed standalone Web APIs and alternative technologies to support most of these features without the need of special plugins. The old NPAPI plugins will continue to work in the Firefox ESR (Extended Support Release) 52, but will eventually be deprecated in ESR 53. A series of hacks are available that will allow Firefox users to continue using old NPAPI plugins past Firefox 52, by switching the update channel from Firefox Stable to Firefox ESR.

Firefox

Mozilla Binds Firefox's Fate To The Rust Language (infoworld.com) 236

An anonymous reader quotes InfoWorld: After version 53, Firefox will require Rust to compile successfully, due to the presence of Firefox components built with the language. But this decision may restrict the number of platforms that Firefox can be ported to -- for now... Rust depends on LLVM, which has dependencies of its own -- and all of them would need to be supported on the target platform. A discussion on the Bugzilla tracker for Firefox raises many of these points...

What about proper support for Linux distributions with long-term support, where the tools available on the distro are often frozen, and where newer Rust features might not be available? What about support for Firefox on "non-tier-1" platforms, which make up a smaller share of Firefox users? Mozilla's stance is that in the long run, the pain of transition will be worth it. "The advantage of using Rust is too great," according to maintainer Ted Mielczarek. "We normally don't go out of our way to make life harder for people maintaining Firefox ports, but in this case we can't let lesser-used platforms restrict us from using Rust in Firefox."

InfoWorld points out most Firefox users won't be affected, adding that those who are should "marshal efforts to build out whatever platforms need Rust support." Since most users just want Mozilla to deliver a fast and feature-competitive browser, the article concludes that "The pressure's on not only to move to Rust, but to prove the move was worth it."
Mozilla

Firefox Fail: Layoffs Kill Mozilla's Push Beyond the Browser (cnet.com) 319

So much for Mozilla's quest to bring Firefox to new and different places. From a report on CNET: The nonprofit organization told employees Thursday that it is eliminating the team tasked with bringing Firefox to connected devices. The cuts affect about 50 people. Ari Jaaksi, the senior vice president in charge of the effort, is leaving, and Bertrand Neveux, director of the group's software, has told coworkers he will depart too. Mozilla had about 1,000 employees at the end of 2016. The layoffs greatly curtail the nonprofit organization's ability to make Firefox relevant again. Once a dominant choice for internet browsing, it has long been overshadowed by Google's Chrome. Mozilla tried to take the web technology powering Firefox to other devices, but struggled to get acceptance. Its shrinking influence comes at a time when more people are browsing the internet on their phones -- an area where Firefox is particularly weak.
Security

HTTPS Adoption Has Reached the Tipping Point (troyhunt.com) 85

Security expert Troy Hunt, who is perhaps best known for creating Have I Been Pwned data breach service, argues that adoption of HTTPS has reached the tipping point, citing "some really significant things" that have happened in the past few months. From a blog post: We've already passed the halfway mark for requests served over HTTPS -- This was one of the first signs that we'd finally hit that tipping point and it came a few months ago. This is really significant -- Mozilla is now seeing more secure traffic than it is non-secure traffic. Now that doesn't mean that most sites are now HTTPS because that figure above has a huge portion of traffic served from a small number of big sites. Twitter, Facebook, Gmail etc. all do all their things over HTTPS and that keeps that number quite high. Hunt also cited security aficionado Scott Helme's recent analysis which found that the number of websites listed in Alexa's top one million websites that have adopted to HTTPS has more than doubled year from August 2015 to August 2016. Troy adds: Browsers are holding non-secure sites more accountable. Chrome 56 is now holding sites using bad security practices to account (by flagging a "not secure" label in the address bar when you visit such websites). Many sites you wouldn't expect are now going HTTPS by default. (He cites websites such as ArsTechnica, NYTimes as examples). Making more cases for his argument, Hunt adds that HTTPS sites are not slow as they used to be, and that services such as Let's Encrypt and Cloudflare have made it free and east to bring this security feature.
Chrome

Chrome Now Reloads Pages 28% Faster (techcrunch.com) 124

Google has announced that it has worked with Facebook and Mozilla to make page reloads in Chrome for desktop and mobile significantly faster. According to Google's data, reloading sites with the latest version of Chrome should now be about 28 percent faster. From a report: Typically, when you reload a page, the browser ends up making hundreds of network requests just to see if the images and other resources it cached the first time you went to a site are still valid. As Google engineer Takashi Toyoshima notes in today's announcement, users typically reload pages because they either look broken or because the content looks like it should have been updated (think old-school live blogs). He argues that when browser developers first added this feature, it was mostly because broken pages were common. Today, users mostly reload pages because the content of a site seems stale.
Firefox

Firefox 51 Arrives With HTTP Warning, WebGL 2 and FLAC Support (venturebeat.com) 130

Reader Krystalo writes: Mozilla today launched Firefox 51 for Windows, Mac, Linux, and Android. The new version includes a new warning for websites which collect passwords but don't use HTTPS, WebGL 2 support for better 3D graphics, and FLAC (Free Lossless Audio Codec) playback. Mozilla doesn't break out the exact numbers for Firefox, though the company does say "half a billion people around the world" use the browser. In other words, it's a major platform that web developers target -- even in a world increasingly dominated by mobile apps.
Mozilla

Mozilla Releases New Open Source 'Internet Health Report' (venturebeat.com) 69

Slashdot reader Krystalo shared this VentureBeat article: Fresh off its brand redesign, Mozilla has released The Internet Health Report, an open-source initiative to document the state of the internet, combining research and reporting from multiple sources... Mozilla's goal is to start a constructive discussion about the health of the internet by exploring what is currently healthy and unhealthy, as well as what lies ahead...

One notable statistic is the number of people who can't get online in the first place. The report shows that 57.8% of the world's population cannot afford broadband internet, and 39.5% cannot afford an internet connection on their mobile device. Other findings include the fact that there were 51 intentional internet shutdowns across 18 countries in the first 10 months of 2016; almost one-third of the world's population has no data protection rights; and 52% of all websites are in English, even though only 25% of the global population understands the language.

They're now gathering feedback and choosing which metrics to revisit every year, but five key topics include "decentralization: who controls the internet" and "open innovation: how open is it?" as well as security, web literacy, and digital inclusion. But Mozilla says their ultimate goal is very simple: to identify what's helping -- and what's hurting -- the internet.
Firefox

The SHA-1 End Times Have Arrived (threatpost.com) 50

"Deadlines imposed by browser makers deprecating support for the weakened SHA-1 hashing algorithm have arrived," writes Slashdot reader msm1267. "And while many websites and organizations have progressed in their migrations toward SHA-2 and other safer hashing algorithms, pain points and potential headaches still remain." Threatpost reports: Starting on Jan. 24, Mozilla's Firefox browser will be the first major browser to display a warning to its users who run into a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm... "SHA-1 deprecation in the context of the browser has been an unmitigated success. But it's just the tip of the SHA-2 migration iceberg. Most people are not seeing the whole problem," said Kevin Bocek, VP of security strategy and threat intelligence for Venafi. "SHA-1 isn't just a problem to solve by February, there are thousands more private certificates that will also need migrating"...

Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant.
The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare
Security

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org) 70

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
Firefox

Mozilla's New Logo Reminds Us that It Is, In Fact, a Web Firm (cnet.com) 185

Mozilla has a new logo. The company has ditched the world "ill" from the name with a colon and two slashes. From a report: Last year, Mozilla, the internet company best known for the Firefox browser, publicly started the rebranding process by opening the door to public feedback. With several options on display, Mozilla asked for comments and input from all who cared to share. As of today, the new logo is official and the simple change is meant as a reminder that Mozilla is more than just a browser.
Mozilla

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

Mozilla

Firefox 52 Borrows One More Privacy Feature From the Tor Browser (bleepingcomputer.com) 81

An anonymous reader writes: Mozilla engineers have added a mechanism to Firefox 52 that prevents websites from fingerprinting users using system fonts. The user privacy protection system was borrowed from the Tor Browser, where a similar mechanism blocks websites from identifying users based on the fonts installed on their computers, only returning a list of "default fonts" per each OS. While sabotaging system font queries won't stop user fingerprinting as a whole, this is just one of the latest privacy-related updates Mozilla has added to Firefox, taken from Tor. Back in July 2016, Mozilla engineers started the Tor Uplift project, which aims to improve Firefox's privacy features with the ones present in the Tor Browser.
Firefox

Mozilla Will Support Firefox For XP and Vista Until At Least September 2017 (venturebeat.com) 73

Krystalo writes: Mozilla today announced that it will continue to support Firefox for Windows XP and Windows Vista until September 2017. In March 2017, XP and Vista users will automatically be moved to the Firefox Extended Support Release (ESR) and in mid-2017 the company will reassess user numbers to announce a final support end date for the two operating systems. Firefox ESR is a version designed for schools, universities, businesses, and others who need help with mass deployments. Firefox ESR releases are maintained for one year. This means Mozilla will provide regular Firefox security patches for XP and Vista users for nine more months. After that, it may continue for a few more months, but eventually the browser won't get new versions on those operating systems. Mozilla correctly notes that "unsupported operating systems receive no security updates, have known exploits, and are dangerous for you to use." The company also tells enterprises that September 2017 should be considered the support end date for planning purposes and "strongly recommends" that all users "upgrade to a version of Windows that is supported by Microsoft."
Firefox

Firefox Takes the Next Step Towards Rolling Out Multi-Process To Everyone (arstechnica.com) 154

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.
Firefox

Most Firefox Users Still Running Windows 7 (softpedia.com) 210

Microsoft is pushing hard for Windows 10 to become the operating system of choice for everyone across the world, but this isn't happening just yet, as Windows 7 keeps dominating the desktop market. From a report on Softpedia: The Firefox Hardware Report published recently by Mozilla shows that Windows 7 is the number one browser for users running the company's browser, with a share of 44.86 percent, followed by Windows 10 with 25.67 percent. Seeing Windows 7 dominating the desktop OS charts is not surprising, but on the other hand, it's living proof that Microsoft will really have a hard time moving users to Windows 10 before 2020 when it reaches end of support. Microsoft's Windows 10, however, already improved substantially since its launch in 2015, mostly thanks to the free upgrade offer targeting Windows 7 and 8.1 users, but this still isn't enough to become the number one choice for PC users.
Businesses

Are Remote Offices Becoming The New Normal? (backchannel.com) 250

"As companies tighten their purse strings, they're spreading out their hires -- this year, and for years to come," reports Backchannel, citing interviews with executives and other workplace analysts. mirandakatz writes: Once a cost-cutting strategy, remote offices are becoming the new normal: from GitHub to Mozilla and Wordpress, more and more companies are eschewing the physical office in favor of systems that allow employees to live out their wanderlust. As workplaces increasingly go remote, they're adopting tools to keep employees connected and socially fulfilled -- as Mozilla Chief of Staff David Slater tells Backchannel, "The wiki becomes the water cooler."
The article describes budget-conscious startups realizing they can cut their overhead and choose from talent located anywhere in the world. And one group of analysts calculated that the number of telecommuting workers doubled between 2005 and 2014, reporting that now "75% of employees who work from home earn over $65,000 per year, putting them in the upper 80th percentile of all employees, home or office-based." Are Slashdot's readers seeing a surge in telecommuting? And does anybody have any good stories about the digital nomad lifestyle?
Advertising

Malvertising Campaign Infects Your Router Instead of Your Browser (bleepingcomputer.com) 137

An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."
Microsoft

Flash Will Soon Be 'Click-To-Run' in Microsoft Edge (bleepingcomputer.com) 72

Microsoft is following in the footsteps of other browser makers such as Apple, Google, and Mozilla, and says that upcoming Edge browser versions will favor HTML5 over Flash by default. From a report on BleepingComputer: "Sites that support HTML5 will default to a clean HTML5 experience," Microsoft said today. "In these cases, Flash will not even be loaded, improving performance, battery life, and security." On sites where Flash is needed, users will be prompted using a popup like the one seen below. Edge will ask users only once, and the browser will remember the user's choice for subsequent visits. Microsoft has already pushed these changes to Edge users on Windows Insiders builds. Regular Windows users will receive this update in the coming weeks.

Slashdot Top Deals