Slashdot Mirror

Here is an addendum that I would have added to the original message IF the EDIT/ADD Slashdot feature request I propose here was implemented, please vote for it!

Here is a good description of the ESC key behavior change which among other things introduces a Firefox add-on called SuperStop . SuperStop adds a Shift-ESC key combination which most often succeeds in shutting everything down. But it is it is apparently unable to prevent the triggering of JS timers that have been set... allowing persistent-connection-abusive sites like Yahoo News to awaken from the dead to do more nasty poodle doo.

I use Cookie Monster.

If you really want to do fine-grained cookie management, use a plugin. I use Cookie Monster.

If you really want to do fine-grained cookie management, use a plugin. I use Cookie Monster.

The feature that was removed is a basic cookie management option where addons do a much better job with a better UI.

If you really want to do fine-grained cookie management, use an addon. I use Cookie Monster.

I like that Mozilla removes useless limited features that I long ago replaced by a powerful addon. The Firefox core must have good APIs (for example cookie management, cookie filtering) on which extensions can be built.

This feature is available through plugins.

If you really want to do fine-grained cookie management, use a plugin. I use Cookie Monster.

If you really want to do fine-grained cookie management, use a plugin. I use Cookie Monster.

I didn't mean to be misleading. I assumed closed-source add-ons would be compiled, so at least the sensitive parts would be binary. You are right that submitting a pure JavaScript add-on would give Mozilla access to the source, as well as others when Mozilla is hacked or an employee steals your code.

However, I was wrong about the binary bit. Mozilla requires access to the source code even for binary add-ons. It looks like they will automatically sign the add-on, but reviewers will need to manually check the code at some point. They say to contact them if you can't provide the source code, so hopefully they are accommodating for businesses that want to keep their add-ons private.

Source Code Submission

Add-ons may contain binary, obfuscated and minified source code, but Mozilla must be allowed to review a copy of the human-readable source code of each version of an add-on submitted for review. In such cases, the author will receive a message when the add-on is reviewed indicating whom to contact at Mozilla to coordinate review of the source code. This code will be reviewed by an administrator and will not be shared or redistributed in any way. The code will only be used for the purpose of reviewing the add-on.

If your add-on contains code that you don't own or can't get the source code for, you may contact us for information on how to proceed.

I thought you could submit binary add-ons (e.g. using js-ctypes) to get around sharing source code for unlisted add-ons. I was mistaken, sorry about that. The only other suggestion I have is if your add-on's functionality can be duplicated in GreaseMonkey, you can go that route and can avoid releasing your code to Mozilla. Good luck...

I didn't mean to be misleading. I assumed closed-source add-ons would be compiled, so at least the sensitive parts would be binary. You are right that submitting a pure JavaScript add-on would give Mozilla access to the source, as well as others when Mozilla is hacked or an employee steals your code.

However, I was wrong about the binary bit. Mozilla requires access to the source code even for binary add-ons. It looks like they will automatically sign the add-on, but reviewers will need to manually check the code at some point. They say to contact them if you can't provide the source code, so hopefully they are accommodating for businesses that want to keep their add-ons private.

Source Code Submission

Add-ons may contain binary, obfuscated and minified source code, but Mozilla must be allowed to review a copy of the human-readable source code of each version of an add-on submitted for review. In such cases, the author will receive a message when the add-on is reviewed indicating whom to contact at Mozilla to coordinate review of the source code. This code will be reviewed by an administrator and will not be shared or redistributed in any way. The code will only be used for the purpose of reviewing the add-on.

If your add-on contains code that you don't own or can't get the source code for, you may contact us for information on how to proceed.

I thought you could submit binary add-ons (e.g. using js-ctypes) to get around sharing source code for unlisted add-ons. I was mistaken, sorry about that. The only other suggestion I have is if your add-on's functionality can be duplicated in GreaseMonkey, you can go that route and can avoid releasing your code to Mozilla. Good luck...

Something of a biased set. I've been using Firefox on Android for over a year, and I am very happy with it. I wasn't aware until your post that Mozilla was collecting satisfaction stats, and even now I can't really be bothered to post there - but I probably would if I were unhappy with it. Firefox with the self-destructing cookies add-on is the only mobile browser that I've found that gives me the cookie management policy that I want.

Perhaps they're expecting people to install add-ons? Fine-grained cookie management was why I switched to Firefox on Android, but I actually ended up using the self-destructing cookies add-on, which has exactly the policy that I want: any site can set a cookie, but unless I explicitly opt in (which I can do retroactively with the undelete button) to keeping it, then it's deleted when I navigate away from the site. Everything works as if I had cookies set to automatically accept, but doesn't get to persist any state for me across visits unless I permit it to.

And even if it was accepted, all you're likely to get there is an exquisitely-worded reply that boils down to "screw you". For example. I don't think I've ever seen Mozilla change their mind as a result of a non-employee post on that mailing list.

uMatrix has some neat features you may be interested in - including blocking cookies and a bunch of settings. I don't think you can make it block cookies, from the home domain, by default but it will block third party cookies, scripts, etc... It's a bit like NoScript except it's better.

Think an old-school Windows software-based firewall. Now imagine that for your browser - complete with the learning curve. I just recently shared my config file with someone to get them started, somebody from here. I'd suggest a more personalized settings but that's okay to start with someone else's.

It uses whitelisting. Yup. If it's not from the first-party, it's blocked by default and that includes scripts, frames, xss, cookies, etc... I believe, now that I look at it, you can probably set it to block all cookies (even from first-party) by default and then whitelist the site as you go.

The good news is that there's a version for it on Firefox now. I use Opera and I've had uMatrix for ages. It's made by the same guy who makes HTTP Switchboard (another nice app) and uBlock which is a bit like AdBlock Plus but much better and, again, much more refined. Though uBlock works out of the box, there's a lot more you can do with it. Combining uMatrix and uBlock gives you a whole lot of refinement options and really lets you customize your experience.

Alas, the author will not accept donations of any kind - and I've offered to send him some money, I'd even offered what some might call a good chunk of money for a regular donation. He declined and pointed me to his FAQ which, it turns out, says he does not accept donations. (I think I'd tried to send him $500, so not a whole lot.)

So, if you don't mind a small learning curve (it's not entirely intuitive but not difficult - I figured it out) and want to actually get it "right" then I recommend uMatrix. You can export your settings (your whitelist/saved sites) and use them on multiple computers which will save you some time if you're using more than one computer. It is, and I'll be upfront, a bit of work at first. However, once you get a few of your regular sites set up it's good to go. When you find something that doesn't work then you enable it. When you get it to work, you simply save it and add it to the list so that it's retained between sessions. If you're unlikely to visit the site again, don't save it. If you don't need the script(s) then don't enable them.

For each third-party, you can block or accept, set to always block, set to always allow, and whatnot. It's really very nice. I *highly* recommend spending a few hours with it enabled and seeing the difference that it makes. It does make many sites entirely unusable - but then you just enable what needs to be enabled and you're good to go. If you frequent the site then you save it. If you trust the site or just will be visiting once - don't save it but can even go so far as enabling all. It's really quite an impressive tool.

I'll go ahead and get you the link:
https://addons.mozilla.org/en-...

Opera:
https://addons.opera.com/en/ex...

Chrome:
https://chrome.google.com/webs...

If you want to get fancy and use HTTP Switchboard, or just read about it, then I'll grab that link for you too:
https://addons.opera.com/en/ex...

I'm sure you'll figure it out quickly. It's not as much work as I make it seem. I've been using it for a while and once you get it all set you're pretty much good to go with very little interruption. It's surprising how few sites that I actually care to allow to fun scripts from third parties. Sometimes, I even block them on the main sites - I don't always just set to allow.

I suppose, if you need a hand with it th

I use Self-Destructing Cookies, which accepts cookies long enough to make a session work and then deletes them automatically when you close the related tab. There's a whitelist feature.

Of course as per usual with a Firefox update, I now have no clue whether or not that extension will continue working, or whether I need to tweak some arcane setting to keep it working, or whether said arcane setting has been removed from the browser entirely... So I'll just stick with my current version for awhile. Other people can be the guinea pigs and I'll look for their reports. The trouble with that approach is that with each release, there are fewer other users out there. Mozilla seems determined to run Firefox into the ground and it's just a sad thing to watch.

Please identify WHICH add-on.

'selectivecookiedelete' v4.1.1
Just checked it, it's still doing it's job, keeping the whitelisted cookies, deleting everything else.

I love to look at Mozilla's own Firefox satisfaction stats. I check them daily. Currently the overall sentiment is 91% unhappy, and only 9% happy. When it comes to Firefox for Android, over 99% are unhappy, and only 1% are happy!

Mozilla's own stats show that their users hate Firefox. Even the most despised politicians, the ones who have fucked over millions of people, rarely get satisfaction ratings below 20%. Yet somehow Mozilla has managed to screw up so badly that not even 10% of their users are happy!

Firefox records and submits telemetry, by default, without gaining consent. If you're going to abuse your user, why can't the user at least benefit? They have telemetry, so they at least know which users have this feature enabled ("I use this feature"). If their telemetry is thorough, they know which users enabled it, then disabled it and left it off ("I tried this feature. I then stopped using it"). Now you know how popular it is, rather than just using a supposition as one of your major reasons, you have data.

They have Bugzilla. So they can query all bugs that this feature caused or was involved in. They then look at their ~100 lines of code and can decide on how disruptive the codebase is as a result of it being unmaintained and have an idea of how this state detriments the user experience.

It's crashing "multiple times a day"? Where's the data? Firefox records and submits crashes by default. Where's the query you ran that gives you this evidence? Is it the fault of the feature, it's lack of maintainer, or is something breaking it that is the fault of neither?

Fucksake. Spy on us then just ignore the damn science that it does? How very asinine.

Firefox records and submits telemetry, by default, without gaining consent. If you're going to abuse your user, why can't the user at least benefit? They have telemetry, so they at least know which users have this feature enabled ("I use this feature"). If their telemetry is thorough, they know which users enabled it, then disabled it and left it off ("I tried this feature. I then stopped using it"). Now you know how popular it is, rather than just using a supposition as one of your major reasons, you have data.

They have Bugzilla. So they can query all bugs that this feature caused or was involved in. They then look at their ~100 lines of code and can decide on how disruptive the codebase is as a result of it being unmaintained and have an idea of how this state detriments the user experience.

It's crashing "multiple times a day"? Where's the data? Firefox records and submits crashes by default. Where's the query you ran that gives you this evidence? Is it the fault of the feature, it's lack of maintainer, or is something breaking it that is the fault of neither?

Fucksake. Spy on us then just ignore the damn science that it does? How very asinine.

Firefox records and submits telemetry, by default, without gaining consent. If you're going to abuse your user, why can't the user at least benefit? They have telemetry, so they at least know which users have this feature enabled ("I use this feature"). If their telemetry is thorough, they know which users enabled it, then disabled it and left it off ("I tried this feature. I then stopped using it"). Now you know how popular it is, rather than just using a supposition as one of your major reasons, you have data.

They have Bugzilla. So they can query all bugs that this feature caused or was involved in. They then look at their ~100 lines of code and can decide on how disruptive the codebase is as a result of it being unmaintained and have an idea of how this state detriments the user experience.

It's crashing "multiple times a day"? Where's the data? Firefox records and submits crashes by default. Where's the query you ran that gives you this evidence? Is it the fault of the feature, it's lack of maintainer, or is something breaking it that is the fault of neither?

Fucksake. Spy on us then just ignore the damn science that it does? How very asinine.

Firefox records and submits telemetry, by default, without gaining consent. If you're going to abuse your user, why can't the user at least benefit? They have telemetry, so they at least know which users have this feature enabled ("I use this feature"). If their telemetry is thorough, they know which users enabled it, then disabled it and left it off ("I tried this feature. I then stopped using it"). Now you know how popular it is, rather than just using a supposition as one of your major reasons, you have data.

They have Bugzilla. So they can query all bugs that this feature caused or was involved in. They then look at their ~100 lines of code and can decide on how disruptive the codebase is as a result of it being unmaintained and have an idea of how this state detriments the user experience.

It's crashing "multiple times a day"? Where's the data? Firefox records and submits crashes by default. Where's the query you ran that gives you this evidence? Is it the fault of the feature, it's lack of maintainer, or is something breaking it that is the fault of neither?

Fucksake. Spy on us then just ignore the damn science that it does? How very asinine.

For web fonts and similar 3rd party assets you want Smart Referer. Unless the primary website's address or id is encoded in the URL, this stops such tracking.

> Would anyone care to recommend a cookie management add-on?

Self-destructing cookies:
https://addons.mozilla.org/en-...

You won't have to manually delete cookies or be harassed by those pesky "enable cookies to continue" sites. This addon accepts all cookies and then deletes them after a few seconds (plus other options). You can easily whiteliste those sites that REALLY need cookies to persist.

PS This addon has nice (frightening!) stats, too; mine are:

Removed 1626 cookies since 2/1/2016, 11:20:07 AM. Of these, at least 666 were probably attempts to track you across the web.

49 LocalStorage scopes were removed along with them. This includes 0 scopes that were created by possible trackers.

Currently monitoring 32 domains, 308 cookies and 10 LocalStorage scopes, 0 of which will expire soon.

> Would anyone care to recommend a cookie management add-on?

Self-Destructing Cookies

Cookies are automatically deleted when you navigate away from the web page that placed them. You can designate some to persist, although it isn't the most convenient UI.

^^^ This

Self-Destructing Cookies was a genuine break-through in cookie privacy.

I wish the idea would be extended to other tracker-enabling downloads like fonts and HTML5 web storage.

Prosecuting outsiders to bond members of your own tribe seems to be an inescapable human need. Liberal activists who boo comics and ensure that anyone who dares to have a different personal opinion of, say, homosexuality loses their job are just bible thumpers and Saudi Arabia morality police going by another name. They have to continuously crank up the extremes of zero tolerance for anyone who deviates from their ideas about women, minorities, native americans and so on to bond with each other and maintain self image of superior human beings who have full right to bully and discriminate against savages.

For the record, I fully believe that LGBT and all other minorities including polygamists have a right to equal, productive lives, and so should a baker who doesn't want to make a cake for their wedding. It's just that activist groups who claim to support either side are actually just on a power trip to prop up their own self esteem and find a legitimate excuse to bully others.

HTTPS will soon really be required as both Chrome and Firefox are soon going to make the non-secured warnings far more visible. It would be an embarrassment for one of the oldest tech sites to not stay caught up.

This old fart wants a user interface that (a) works without javascript and (b) does not require me to log in order to enable it.

For years now the bottom of every comments pages have said this to me:

"Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead."

But you can't do that without logging in. If system is smart enough to recognize that I have javascript disabled, it is should be smart enough to automatically serve me noscript-friendly pages.

FYI noscript is the 3rd most popular add-on to firefox and the reason is pretty simple - over the last decade and a half 99.9% of all browser exploits have had javascript as a necessary component. Disabling javascript is the single best security practice anyone can do. Slashdot should make it easy for people to use the website more securely.

Also it would be nice if the front page could be set to never collapse any stories. Collapsed stories are just a waste of mouse clicks, there are so many stories on the front page anyway that there is nothing to be gained by collapsing some of them. We still have to scroll a bunch anyway, saving 20 lines out of 200+ is not worth the hassle of even a single extra mouse-click.

Not only is Outlook a manifestly superior email client, the quite useful group calendar functions are infinitely better since... T-bird doesn't have group calendar functions.

What exactly do you call Lightning? Looks a lot like a calendar to me.

Lightning even supports a few network calendar formats natively. Need to sync with CalDAV? There's a plugin for that.

Oh, I see...they're not automatically included. That's a positive since not everyone needs those extra features. Some people just want email. That's what makes it nice. That's why people used to flock to Firefox before it became a giant, bloated piece of garbage.

There are a lot of things that can be said that are negative about Thunderbird (it's slow, freezes often, prone to mailbox corruption) but lacking a group calendar is not one of those negatives. It works just fine for keeping my entire family connected and aware of what's going on in the coming weeks.

Firefox defines typing in s as indicating that the user desires protection from a man in the middle (MITM). Install the Perspectives extension, which adds a second method of detecting MITM that works with self-signed certificates, and self-signed certificate errors will go away.

I know that, at least in FF, you can re-enable the /https?/ prefix in about:config.

I can't see any problem with showing clear icons for the state of the connection, which includes unencrypted being distinguishable from encrypted with a cert signed by an untrusted party (aka self-signed) vs a cert signed by a trusted party.

It's better than the current state of things, where the web browser programmers out right mis-interpret what is going on and potentially lying to the user.

For example, if I run my own CA and sign all of my own certificates, and push my CA public key by hand to computers intended to access my server, verified by hash fingerprints - this is arguably MORE secure than a "secure" public CA signed certificate that I have no control over.
After all I know exactly who signs certs with my CA - me - and despite what the public CAs and web browser programmers claim, I in fact do trust myself.

CAs are known to have signed fraudulent certs, so they are not the ultimate high tier of trust.

Of course the self-signed situation described above is very different from random snakeoil.crt style self-signed certs where the only possible way to verify the servers identity is to check the thumbprint hash. And who has time for that?

Displaying the lowest tier of security icon for non-https sounds just as useful as it has been since SSL was invented.
(After all, a lock vs a lack of a lock works good enough for anyone that cares about encryption, but I could care less what the two icons actually are of)

At least Googles approach is better than Mozillas by an infinite amount!
I'd rather use Chrome and at least have it bitch about the lack of SSL while still actually showing me the webpage.
Firefox will soon actively remove non-https support and display an "unknown protocol 'http'" error instead.
Hope you don't like browsing .html files locally in firefox :P
https://blog.mozilla.org/secur...

But but browser insecurity is because of plugins (Mozilla security bugs). I know that because browser vendors told me so in the 2000s and experts are NEVER wrong. :P

Note: bugs aren't the only problem here, it is your update process, and Oracle Java has an awful one, add to that that people do not update. OpenJDK does not suffer of this bad update process because distributions use their package manager to push updates.

Matey there are entire web sites that are nothing but ads pretending to be content, fucking hundreds of thousands of the shitty things and very often one shit head controls hundreds of them, same shitty ads, wrapped around the same shitty content (more often than not straight up scrapped off other web sites) and just presented with a different schema and name. Yes, you can be attacked by a random link on a random page because those web sites operators where not careful enough and that link lead you straight to a malvertisement site and those are often buried in ads. I prefer https://noscript.net/ as it lets pick and choose whose scripts are allowed to run and whose scripts are blocked https://addons.mozilla.org/en-... (if you are naughty no cookies for you).

This version is also the first to require signed extensions with no way to:
1) Disable the signature check at all

That is incorrect. They pushed it back again to FF46.

But more generally, I agree it is total bullshit. And what's worse is that the answer is super fucking easy. All they need to do is let the user specify a white-list of extensions that do not need signatures. Require that the white-list be kept in an admin-only writeable location, like the system-wide firefox install directory where there is already some config data. If an attacker can write to admin-only files then the whole system is already compromised anyway.

Instead they want you to use an entirely different 'unbranded' build of firefox which just means that people won't be able to get the automatic firefox updates which will result in older, more exploitable versions of firefox persisting on users' systems. So drastically less security for anyone even slightly out of the ordinary.

Dumb all around on this from Mozilla.

This version is also the first to require signed extensions

I'm confused. We are delaying the removal of this preference to Firefox 46

Just don't subscribe to anything -- every page requires you to grant it permission.

No, it requires more than that. According to Mozilla themselves, "Firefox maintains an active connection to a push service in order to receive push messages as long as it is open." Supposedly the connection is encrypted and anonymized, but you'll have to take their word on it and anyway, it's another potentially-vulnerable service running in the background. So it's not just a matter of "don't subscribe and you'll be safe"; there needs to be a way to disable this service entirely.

Oh wait... there is.

I think it has more to do with licensing.

Chromium is licensed under a BSD-like license. Mozilla uses the Mozilla Public License. This means you can create closed-source derivatives from Chromium, but not from Firefox, for instance.

Midori doesn't have DRM according to this review.

Firefox provides EME-free versions, meaning no DRM.

I also liked those add-ons before. Since NoScript has become PITA to use I switched to uMatrix. I picked it up from similar conversation here in slashdot. You might like it too.

My experience is that most ads are abusive in some way. I use these add-ons in Firefox: uBlock Origin ad blocking, NoScript, and Ghostery.

It amazes me that, when I go to the Ally Bank web site to see my accounts summary at the following URL, Ghostery says "Ghostery found 8 trackers":
https://securebanking.ally.com/#/accounts/summary

The Ally Bank URL contains the words "secure banking"!

Here are the trackers:
Advertising.com
Google DoubleClick Floodlight
Google DoubleClick Spotlight
Google Dynamic Remarketing
MediaMath Advertising
Omniture (Adobe Analytics)
Qualtrics
RUN (https://match.rundsp.com/)

There is nothing "secure" about notifying other companies that I am looking at a summary of my bank accounts!

My experience is that most ads are abusive in some way. I use these add-ons in Firefox: uBlock Origin ad blocking, NoScript, and Ghostery.

It amazes me that, when I go to the Ally Bank web site to see my accounts summary at the following URL, Ghostery says "Ghostery found 8 trackers":
https://securebanking.ally.com/#/accounts/summary

The Ally Bank URL contains the words "secure banking"!

Here are the trackers:
Advertising.com
Google DoubleClick Floodlight
Google DoubleClick Spotlight
Google Dynamic Remarketing
MediaMath Advertising
Omniture (Adobe Analytics)
Qualtrics
RUN (https://match.rundsp.com/)

There is nothing "secure" about notifying other companies that I am looking at a summary of my bank accounts!

Firefox OS security model detailed here:

https://developer.mozilla.org/...

Feel free to critique and advise them on the technical details but don't assume they haven't considered security implications already.

I like Firefox because the extension ecosystem is still miles better than Chrome after Chrome has had 50+ releases to become competitive.

Yeah, so do I. Which is why I'm really fucking pissed that Mozilla wants to get rid of this ecosystem by deprecating XUL, XBL and XPCOM and become a Chrome clone, where all extensions can do is search and replace text in web pages. Mozilla wants to say bye bye to extensions like Tree Style Tab and VimFX - and I'll be saying bye bye to Mozilla once it happens.

https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/

From https://archive.mozilla.org/pub/firefox/releases/latest/README.txt:

This could be pasted into the location bar of a browser, or used with curl or wget, e.g.
wget -O FirefoxSetup.exe "https://download.mozilla.org/?product=firefox-latest&os=win&lang=en-US"

Wow, looks like Firefox has some real problems.
From the link quoted: https://blog.mozilla.org/secur...

How to tell if you’re affected
If you can access this article in Firefox, you’re fine.

So, if you Firefox is affected, they won't tell you about it. They'll only tell you if your Firefox is not affected.

Later, same blog post:

What to do if you’re affected
The easiest thing to do is to install the newest version of Firefox. You will need to do this manually, using an unaffected copy of Firefox or a different browser, since we only provide Firefox updates over HTTPS.

So, if your Firefox is affected, you can't upgrade it: you need to have the working version of Firefox to download a working version of Firefox.

What a Catch 22! You can't know about the problem unless you already have fixed the problem, and you can't fix the problem... unless you have already fixed the problem.

I'm sure they're having a lot of fun wanking around with these pointless projects. It must be a great way to distract yourself from the ~24,000 open bugs still waiting to be fixed in Firefox.

The Java browser plugin infected millions, loaded bloatware, and generally has been a nuisance for years.

It eventually was blacklisted from browsers.

Let's not pretend SSL certs were supposed to do things they're not. You can be certain no one is imitating the malware site. And that's all a SSL cert means.

and told they're not making any more changes until they fix a major, longstanding bug..

Odd. On Unity's performance benchmarks in 2014 and 2015 Firefox outperforms the rest. Why not work the problem with Firefox's built-in profiler or the profiler add-on? It's pretty easy to use.

Brednan Eich didn't get fired from his position of CEO of Mozilla. He voluntarily resigned.