Slashdot Mirror

"The Eich incident tarnished Mozilla's reputation."

That incident showed a shocking lack of social understanding. Mozilla CEO resignation raises free-speech issues.

The most amazingly sad recent action of Mozilla Foundation, in my opinion, is the fact that the 32-bit and 64-bit versions have the same file name!

This just in: Installing malware is bad for your computer. Film at 11.

What a pile of crap.

Agreed. Frankly this just looks like more FUD against browser addons and a lame attempt to justify Mozilla's looming walled garden and continued Chromification approach to Firefox addons. See also: slow death of the personal computer.

This just in: Installing malware is bad for your computer. Film at 11.

What a pile of crap.

Agreed. Frankly this just looks like more FUD against browser addons and a lame attempt to justify Mozilla's looming walled garden and continued Chromification approach to Firefox addons. See also: slow death of the personal computer.

Are you talking about Firefox Developer Edition, though? It is drastically different from the main release. It's two versions ahead (currently 47) and has electrolysis fully enabled. My experiences mirror jemmyw's in that earlier this year I tried out the developer edition and was quite surprised how quick and smooth it was. Since then I've used the developer edition as my main browser.

I do agree the main release of Firefox is and has been lackluster (slow, jerky/jittery). The developer edition may still be slower than other browsers (I haven't profiled them to get numbers) but it is a significant and noticeable improvement over the main release (currently version 45). So whenever electrolysis (and whatever else is in 47 but not 45, maybe JS/JIT engine improvements?) gets into the main release, Firefox users should see a much-needed improvement in speed and usability.

So a few months ago the Firefox devs announced that Firefox would start using an extension approach compatible with that of Chrome's:

To this end, we are implementing a new, Blink-compatible API in Firefox called WebExtensions. Extension code written for Chrome, Opera, or, possibly in the future, Microsoft Edge will run in Firefox with few changes as a WebExtension. This modern and JavaScript-centric API has a number of advantages, including supporting multi-process browsers by default and mitigating the risk of misbehaving add-ons and malware.

So this Chrome-inspired extension approach that Firefox will be using is supposed to mitigate "the risk of misbehaving add-ons and malware", yet this incident suggests to me that the Chrome approach may have some serious problems with malware.

How will the Firefox devs be handling these problems, so that malware attacks like this can't happen with extensions used with Firefox?

My biggest problem with Firefox is how it keeps loosing my dictionary. If I open up too many tabs, suddenly the "Check Spelling" disappears and I have to go re-install the dictionary again. I don't know if this is a flaw a hipster coder introduced, but I'll go along with your idea and blame them for it anyway lol. Not all Millennials are hipsters; I know several Millennials that are quite serious IT people. But they are most certainly not "hipsters"...but looking at the Firefox dev team only one of them looks like they might be a hipster.

This is probably closer to what Mozilla would have in mind: Lightspeed

Mozilla Firefox has a "bug" open for same purpose and there are several reasons for the switch, build performance increase and increased security.

https://bugzilla.mozilla.org/s...

Let's just skip to the end and launch an initiative to remove Yahoo.

Seriously, who uses them?

Anybody who installed Firefox and accepted all defaults

There is the issue of security too. One security question is whether it have "Slaughterhouse" (see https://bugzilla.mozilla.org/s... and http://bholley.net/blog/2016/t...). This is not the only incident where Mozilla people have suggested hiding bugs until an old ESR goes end of life BTW.

This kind of stuff is depressing. You'd like to say, "Oh, the programmers are doing the best they can," but when you have an open bug list that looks like this, you can't possibly ensure that your code is secure, not even close. That kind of codebase is like a playground for hackers.

Hopefully you filed bugs for the issues you encountered? https://bugzilla.mozilla.org/e...

You know what is good about HTTPS these days:

- HTTP/2 using HTTPS is faster than HTTP/1.x without HTTPS and it's getting easier to deploy it. For example by using the H2O webserver ( https://h2o.examp1e.net/ ) as a proxy, it comes with built in SSL/TLS library for easier deployment and support for replicating sessions.

HTTPS itself is becoming easier to deploy and manage:

- HTTPS doesn't need a dedicated IP-address any more (older browsers/operating systems had problems with the HTTPS equivalent of 'virtual hosts'):
https://en.wikipedia.org/wiki/...

- certificates are available for free with an automatic request and renewal system. So no more messing around, you can automate it. -> with Let's encrypt Beta: https://letsencrypt.org/ and for example with acmetool: https://hlandau.github.io/acme....

There are finally ways to fight the silly CA-system, not completely, but things are improving.

For regular visitors on a site you can add headers which will prevent an other CA issuing a rogue certificate for your site.
https://developer.mozilla.org/...

The problem is that the new extensions system is much more restrictive and doesn't allow all the features to be added back in.

Your claim is based on what exactly? The new extensions system is being explicitly tested against the features of current add-ons to ensure that all the required capability makes its way into the new model. Who am I going to believe? Some random user posting on Slashdot, or the author of NoScript who is currently testing and helping to implement the WebExtensions API? Given the choice between baseless talk and meaningful action I'll choose action every time.

i just got version 44 working as it's *supposed to* and as expected... on just one of many desktops (others are quite a bit behind).... please let me enjoy a personalized, functional browser for a few days before you fuck it up again

i guess i'll just set up 45 esr on everything.. that way i'm only at risk of being pissed off at them once a year or so instead of every six weeks.

Not yet. I found some posts from people having similar issues. A fairly recent one is https://support.mozilla.org/en.... An older one that suggests an about:config tweak is https://support.mozilla.org/en.... I've always fixed it by restarting Firefox, which sometimes also requires killing the process.

To be fair, I don't know for a fact that my issue is directly related to RAM usage. It was just something I noticed the last couple times I tried to troubleshoot the problem. Right now I'm using ~845MB with no apparent issues. It hasn't happened in about a week. If it starts happening again, I'll file a report.

Not yet. I found some posts from people having similar issues. A fairly recent one is https://support.mozilla.org/en.... An older one that suggests an about:config tweak is https://support.mozilla.org/en.... I've always fixed it by restarting Firefox, which sometimes also requires killing the process.

To be fair, I don't know for a fact that my issue is directly related to RAM usage. It was just something I noticed the last couple times I tried to troubleshoot the problem. Right now I'm using ~845MB with no apparent issues. It hasn't happened in about a week. If it starts happening again, I'll file a report.

https://wiki.mozilla.org/User:... FYI

Not to mention the question of whether it have "Slaughterhouse" (see https://bugzilla.mozilla.org/s... and http://bholley.net/blog/2016/t...). This is not the only incident where Mozilla people have suggested hiding bugs until an old ESR goes end of life BTW.

Tab groups are a rare example of a UI experiment done well. While they'll no longer be integrated into the browser, Mozilla has communicated very clearly about the transition and the full functionality of tab groups are available in an add-on.

I don't care for Pocket but Hello and Reader are alright. It's really convenient to video chat with Hello already installed. Your communications are encrypted and p2p with WebRTC so it's a hell of a lot better than Skype snooping on you.

> Pocket isn't a Mozilla project.

But they have caused the UI to become worse.

Firefox for mobile has a feature called Reading List, https://bugzilla.mozilla.org/show_bug.cgi?id=1123529.

It has been disabled/removed for desktop, presumably because of Pocket integration.

p.s. I have love Pocket (since it was called ReadItLater), love Intstapaper, and Readability, and have subscribed to them at one time or another. Sometimes I want to use Pocket, and sometimes I want to use Reading List. On mobile, I can.

> Pocket isn't a Mozilla project.

But they have caused the UI to become worse.

Firefox for mobile has a feature called Reading List, https://bugzilla.mozilla.org/show_bug.cgi?id=1123529.

It has been disabled/removed for desktop, presumably because of Pocket integration.

p.s. I have love Pocket (since it was called ReadItLater), love Intstapaper, and Readability, and have subscribed to them at one time or another. Sometimes I want to use Pocket, and sometimes I want to use Reading List. On mobile, I can.

I know this is hard to understand but, as I posted above, Mozilla is not getting rid of Thunderbird. Read the actual press-release yourself. Read what they're saying. Read what they're doing. They're moving it to another part of the organization so that they can more easily keep it separate from Firefox. They kind of have to because the framework is about to change and the old-style add-ons are not going to work with the new versions of Firefox but they want to keep those add-on styles for Thunderbird.

I already said this so I'll post this as an AC. I'm time-limited today. I encourage you to actually see what's going on instead of relying on others to interpret things for you. Read more than the comments at this site - read the actual releases, see the actual practices, read the actual article. Well, fuck that last one... Ain't no one got time for article reading when we've got lit torches and an agenda.

Seriously, there are no plans to kill Thunderbird - at least no announced plans. They're still actively developing it. It's just to reduce the "technical deficit" caused by keeping Firefox and Thunderbird together. Firefox is getting some sort of Chrome extension stuff. Thunderbird is not. The parts of Thunderbird that rely on Firefox are going to have to be developed slightly differently because of this.

As I stated above, I'm really inclined to think that it was a willful misinterpretation that resulted in the belief that Mozilla is casting aside Thunderbird. They are not. In fact, Thunderbird is now up to something like 10,000,000 *daily* requests for a block file on their server - so, some rough metrics. They are not going to kill that. It is still very much active. It's basically the equivalent of a corporation's reorganization. It might fail, it might not. It might get halted in the future, it might not. However, the current goal is not, in fact, to kill the project.

Does anyone actually read at this site? How about this for a link, I just had it open from following someone else's link so it's still in my browser's history though I'd read it a couple of months ago:
https://blog.mozilla.org/thund...

They are NOT killing off Thunderbird.

I wonder if this blog article is a good example: https://blog.mozilla.org/advan...

Hrm. If there were only some way to search for that kind of thing...

https://addons.mozilla.org/en-...

Haha, ok, well, that's the end of Firefox, then. I've just read the signing process and nope, nope, nope. I used to write and maintain extensions for a local site I was involved with and there is no way in hell I'm submitting shit to them and waiting for them to approve what already works and my users already trust me with.

Although I might just work out how to get everyone installing a developer certificate or recomend that they install one of the Firefox forks.

In fact there is a difference that makes the PDF reader in Firefox more secure than the ones in Chrome or Edge: In chrome and edge, the PDF reader is a binary module, that's sandboxed some way from the other parts of the operating system, with that sandbox being the only protection mechanism.

In Firefox, the PDF reader is written 100% in javascript. Originally in fact it has been written by some guy who greatly improved the javascript JIT engine for firefox, and wanted to demonstrate how fast the javascript VM now has became, and that it can run "real" applications like PDF readers.

In fact, since the earliest days, the website for the firefox PDF reader featured his paper as example document: https://mozilla.github.io/pdf....

To get back to the topic: due to the fact that the firefox PDF reader only uses APIs and functionality that is already available in the web, viewing a PDF file isn't less secure than normally browsing the internet (without any addons that e.g. block javascript or something). So in theory the firefox PDF reader should be the most secure one, as there is no difference, and thus no additional attack surface.

However, there is a tiny part where the firefox PDF reader is different from normal js code, and it has been abused already once: https://blog.mozilla.org/secur...
It was no remote code execution bug, but it allowed websites to read files on your disk, that's pretty bad.

So yes, in principle the PDF reader for firefox is the most secure one.

CEOs don't have to worry about losing their job because a few whiny children throw a tantrum. Oh wait...nevermind

Funnily enough, I typed that reply with Pale Moon. I've been trying it out for the last two weeks and am fairly impressed with it. Still, I'll probably go back to using Firefox as my main browser, but Vivaldi and Pale Moon are there if I do choose to move away.

I'm finding the direction that Firefox is taking is trying my patience, and as a long time user of Firefox since its Phoenix days, there might come a day when I say bye. Vivaldi and Pale Moon might well make that bye easier.

I've been using Pale Moon for a while now. I've used Firefox since the Firebird days but for me (and many others) Mozilla's decision to deprecate XUL-based extensions in favour of the WebExtensions API so that Firefox can be compatible with Chrome and Opera is the last straw. The WebExtensions API is much more restrictive and many popular extensions will be unworkable as a result.

There has been a a lot of negative reaction in the Mozilla forums; e.g "it's the extensions that make Firefox" and "If I wanted Chrome I'd use Chrome". But the Mozilla developers don't seem to be listening anymore.

I've found Pale Moon very good so far. Stable 64-bit builds, pre-Australis UI, all my favourite extensions work fine, sane and responsive developer community; what's not to like? Pale Moon will be a my browser of choice for the foreseeable future.

The keys can be saved on the server and processes in the JS client.

Keys cannot be saved on the sever. If you give the private keys to Google, they can decrypt the messages at rest on their servers. This is why no encrypted storage uses server-stored keys: see Spideroak for an example of modern encrypted storage that keeps keys client-side only for a very good reason. Rule one of having keys: never give them to anyone.

The point is to encrypt email during transit so nobody can snoop

The point is not to encrypt email during transit. The point is to encrypt e-mail at all points between the correspondents. The mail should be encrypted clientside and remain encrypted while at rest on the servers as well as during transit. S/MIME and PGP/GPG do that. Encrypting only during transit means that plaintext is sitting around waiting to be hoovered up by Google (for ad profile building) and whatever other parties (NSA, hackers, etc) have access to Google's servers.

If you don't trust gmail don't use gmail.

Despite seeming an off-topic statement in a discussion about securing gmail, this is the root of the problem. Google is scanning gmail accounts and does provide governments (and any hackers it doesn't know about) with access to those accounts. Using client-side S/MIME or PGP/GPG solves that trust issue, for values of "solve" that require an attacker to expend more work than is feasible. Self-hosting e-mail also solves that trust issue in other ways, but it is out of the realm of discussion, since the topic is how best to secure gmail.

Alternately the keys can be decrypted with a user inputed pass phrase in the JS client, then mean even gmail would be unable to read your mail. Assuming they don't snoop your pass phrase themselves. But if that is a problem, why use gmail in first place.

The user passphrase is far weaker than an S/MIME or PGP key. That negates the point of having an S/MIME or PGP key, which is in effect a very, very long passphrase stored clientside. The difference between the two (certificate and passphrase) is important to cryptography: for this, see any discussion of the difference between SSH with keys and passphrases (or preferably both in combination). There is an advantage to having both, but there is no security advantage in having a much weaker link alone guard a much stronger one. Take a second to reread that carefully.

There is no JS solution to the problem of securing gmail; otherwise, one would have been written long ago. People have thought about the issue and realized that there is no good solution. That is why people have created solutions like the Firefox addon for S/MIME and the MyMail Crypt for gmail: they are plugins for a reason. You should try understanding that reason, because it will advance your knowledge of the dangers and limitations of cryptography.

I'm not saying this to be an asshole, but because you demonstrate a certain hubris when it comes to what you believe can be done with Javascript and how security works. That hubris could hurt some project that you work on, and that pain is unnecessary. You will be better able to contribute valuable work to your business or the community if you take the time now to learn the limits of what you should and should not do with encryption keys.

Or, equivalently, install the Flash plugin for increased usability and security.

Yes, Firefox fixed this issue in 44.0.2, released last Thursday. Weirdly, when I checked that page Thursday it did not mention a thing about the graphite vulnerability. It was added today: https://www.mozilla.org/en-US/...

Given the bugs they've fixed over the past year and their roadmap, I'm pretty sure you're just sensationalizing.

When your product is "a web browser" and you announce you are removing HTTP protocol support, again removing HTTP support in your web browser, it's pretty hard to repeat that title word-for-word from Mozilla without it sounding like "sensationalizing"
Perhaps Mozilla shouldn't have made such sensational claims in the first place?

I know that people love to do that when their pet features are lost (because who wants to use addons, amirite), but it's pretty sad to see how much people dump on the Firefox devs because they want to see Firefox magically improve without "destroying" anything.

Removing HTTP protocol support is hardly a pet feature, it's the sole feature for this software to even exist let alone what it does.

Besides Mozilla has deprecated most of their entire addon API already, and they haven't even locked down the addon store yet.
There is no way they are going to be putting over a year of work into removing HTTP protocol support only to allow someone to add it back in with an addon.

Not to mention requiring an addon be installed in your web browser before it can web browse is about as stupid as it gets.

It's just easier to blame everything on Mozilla, because that's the party line.

Then the Mozilla devs should stop publicly announcing shit they don't want repeated.
https://blog.mozilla.org/secur...

Mozilla's response is to build a browser that has the same protections as other browsers.

https://wiki.mozilla.org/Electrolysis

They're doing that because they know their current tech isn't up to it. It's funny how their fans keep defending their current tech when Firefox themselves are abandoning it as soon as possible.

I personally don't consider Firefox to be an open source project in any meaningful way. I see it more as a proprietary project whose source code is publically available, and that's all it is.

A true open source project is driven by the community, not by the maintainer alone. Firefox is driven solely by Mozilla. Regular users have no real say. The best we can do is submit a bug report, and it'll likely be ignored, sometimes for years. It's really not worth the effort to even bother sending in a patch.

Mozilla sure as hell didn't listen to the Firefox community at large when this community rejected Australis, Pocket, Hello, tile ads, and the many other smaller unwanted UI changes that have been forced on us.

Mozilla sure as hell didn't listen to the Firefox community at large when this community requested that the performance be improved, and the memory usage reduced.

Now we're being told that the extension system is going to undergo massive restructuring, and our extensions will very likely break, without us getting any real benefit from these changes.

Heck, we only have to look to Mozilla's own Firefox feedback stats to see how disappointed Firefox's users are. Something is seriously wrong when 80% or more of users are unhappy with a product!

The only time we've seen the community have any sort of real involvement in the development of Firefox is when it has been forked, and Mozilla is left out of the picture completely. See the Pale Moon project for an example of this. It's perhaps the closest thing there is to an open source project built around Firefox's technology.

As far as I'm concerned, Firefox is a proprietary project and we just have access to the source code. It's not a community-driven open source project.

Nope, Rust is being used by Mozilla to develop the experimental layout engine Servo, but there are (as far as I am aware) no plans to completely rewrite Firefox in Rust. There are plans to gradually replace some components in Firefox written in C/C++ with Rust, e.g. a url parser and a mp4 parser, but I don't think these are part of the current Firefox release.

Nope, Rust is being used by Mozilla to develop the experimental layout engine Servo, but there are (as far as I am aware) no plans to completely rewrite Firefox in Rust. There are plans to gradually replace some components in Firefox written in C/C++ with Rust, e.g. a url parser and a mp4 parser, but I don't think these are part of the current Firefox release.

This matches up to a /. story from earlier this week - the Firefox developers cut a perfectly good feature which some people based their browsing habits around because they could. Apparently it caused the occasional abort.
The FF developers have too much time and neither enough clue nor oversight, Australis was another product of that mindset. What does one do under these circumstances? I know someone who has now started his own private fork over this, Firefox ESR is another short-term solution.

What's that got to do with anything I wrote? I don't user Firefox so I'm not really across its features but certainly looking at the exhaustive list of what was added to the latest release here I would say most of them fit those two categories.

Damn, that's pretty expensive. A print + online subscription for the magazine is only $19.99, AND a free hat (!). Did someone in their marketing department just fail at basic math, or is this some experiment in psychological marketing? The plug-in Disable Anti-Adblock works great on Forbes, I'm betting it will also work on Wired.

You young whipersnappers think because there's a new version out it's legitimate and better. He's telling you it's a regression.

Here is the changelog for the latest version, where is the regression?

[...] Can't anybody build anything that will last more than a few weeks? Am I that old to believe long tern stability is a good thing?

Good thing Mozilla does just that, eh? They pick one of about every seven major-version Firefox release to make an ESR (extended support release) version, and they have been doing this since 2012. The ESR release is supported for one full year, plus another couple months or so (specifically, the time it takes to release the next major version of Firefox after that on which the last point release of the ESR version is based--they add critical fixes from major versions to ESR versions during the year of support but avoid major feature or UI changes).

This is intended for organizations that deploy Firefox and need some stability (e.g., to test something before deployment and ensure support longer than 6-8 weeks), but you can use it at home, too, if you want.

He probably meant uBlock Origin, not the crappy hijacked uBlock with donation links.

Homepage

Firefox addon

Chrome addon

UBLOCK ORIGIN

PS: accept no sobstitutes!

Pale Moon is a version of the Firefox code without a lot of the managerial mistakes made by Mozilla Foundation. Pale Moon has a 64-bit edition that in my experience is far more stable than Firefox. Firefox has memory hogging and subsequent instability that causes it to crash when there are many windows and tabs open.

Usually Firefox add-ons work perfectly with Pale Moon.

Pale Moon has tools for migration from Firefox and for backup. Adblock Latitude blocks ads. There are other Pale Moon add-ons.

Nice add-on for both Firefox and Pale Moon: The Open Link in... add-on provides an "Open Link in Background Tab" option that is good for deciding which Slashdot stories you want to read later.

https://blog.mozilla.org/addon...
http://www.thetimesgazette.com...

I would love to know where the "improvements" are in a program that is no faster than, has grown just as fat as, and still has less than a quarter of the user features of its ancestor.

Then why haven't you just looked at the changelogs? The basic release notes for the latest release are here and the full changelog is here. Sure they could have just made these changes and sat on them for a time but why not just release them when they're ready?

I would love to know where the "improvements" are in a program that is no faster than, has grown just as fat as, and still has less than a quarter of the user features of its ancestor.

Then why haven't you just looked at the changelogs? The basic release notes for the latest release are here and the full changelog is here. Sure they could have just made these changes and sat on them for a time but why not just release them when they're ready?

Sounds like you want Firefox Extended Support Release (ESR). ESR releases receive a major update only once every 10 months, but still receive the same bugfix and security patches as the regular releases. Also, when you do get updated to a new ESR version, you know that it's one that's already been supported as a regular release for 2 months, so there's very little chance of surprise problems.

The current version is Firefox ESR 38, which was released as ESR on 11 August last year. The next one is ESR 45, coming on 31 May, which will last all the way until 21 March next year.

Hope that helps you.

I was wondering that, so I searched and apparently Mozilla has a QA team, and they even have a blog. Morale seems to be good, they even send members of their team to conferences......

Sure you can block one IP address at a time. Then they'll switch to a range of IP addresses, then funnel *everything* through a single IP address with a proxy server. I got fed up of constantly seeing IP traffic sent out, so tried blocking things. I'm using Privacy Badger:

https://en.wikipedia.org/wiki/...

Safe Browsing also stores a mandatory preferences cookie on the computer which the US National Security Agency allegedly uses to identify individual computers for purposes of exploitation.

https://www.mozilla.org/en-US/...

"Add-ons Blocklist: Firefox contacts Mozilla once per day to check for add-on information to check for malicious add-ons. This includes, for example: browser version, OS and version, locale, total number of requests, time of last request, time of day, IP address, and the list of add-ons you have installed. You can turn off metadata updates at any time, but it may leave you open to security vulnerabilities."

"To help display relevant snippets, Firefox sends Mozilla a monthly request to look up your location at a country level using your IP address. We then send that country level information back to Firefox, where it's stored locally. Firefox will then choose snippets to show you based on the locally stored country information."