Slashdot Mirror

Surely Dave Winer can't be that out of touch. Firefox OS nails it.

In Firefox OS everything is written in JavaScript, the most widely-deployed scripting language that developers already know. Unlike all the other also-rans to IOS and Android, its system applications — calendar, on-screen keyboard, music player, etc. — are likewise written in JavaScript. To permit this, and unlike BBX, OpenWebOS, Tizen, Windows 8, and everyone else saying "Write apps for our failing platform using HTML/CSS/JavaScript", it has Web APIs to most phone features (battery status, Bluetooth, camera, SMS, etc.), all on various tracks towards standardization. Like lots of phones you can run your apps on the desktop in an emulator; unlike lots of phones the Firefox OS Simulator runs in your browser. Unlike any other smartphone many of the apps you write for the phone will also run and install unchanged as apps on desktops (and Android) running Firefox, many will also work as Chrome apps with minimal effort, and anyone can run an app store, you just put an install button for your app on a web page on your site.

Also in some point, for some models, will be released Ubuntu Touch, and maybe you can install on your phone Firefox OS too. Those uses android's boot (open source code, but not sure about device drivers), but what runs over there is afaik fully open source.

Then they can make a public and private key for whatever.com. Then they use their fake Intermediate CA Inc.certificate to sign that. Unless you the person visiting whatever.com specifically have an original copy of the real whatever.com certificate public key, and you look at the public key of the certificate every time you visit the website, you'll never notice that the NSA has replaced the real certificate with theirs. As long as they're using the correct Verisign private key, your browser will not detect any problems.

This is precisely why you should be checking site fingerprints and using browser add-ons like Certificate Patrol, in combination with a secure browser (eg: TorBrowser).

If you blindly stumble around the Internet accepting certs, not checking source and destination, you deserve what you get. If you verify the authenticity of your connections, and deny/block/forbid those that don't match, you'll be much closer to the secure environment we're all striving for.

https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/ would seem to say otherwise.

That's a good point. Browser fingerprinting can definitely improve the value of whatever other information they think that they have. However, even that can be defended against if one installs the proper extensions. My personal favorites, in addition to the usual trifecta of AdBlock, NoScript and Ghostery are FireGloves (randomizes information that could otherwise be used to generate a browser fingerprint) and Secret Agent (rotates your user agent string randomly using a customizable list ala the rotating license plates on the bond cars).

That's a good point. Browser fingerprinting can definitely improve the value of whatever other information they think that they have. However, even that can be defended against if one installs the proper extensions. My personal favorites, in addition to the usual trifecta of AdBlock, NoScript and Ghostery are FireGloves (randomizes information that could otherwise be used to generate a browser fingerprint) and Secret Agent (rotates your user agent string randomly using a customizable list ala the rotating license plates on the bond cars).

That's a good point. Browser fingerprinting can definitely improve the value of whatever other information they think that they have. However, even that can be defended against if one installs the proper extensions. My personal favorites, in addition to the usual trifecta of AdBlock, NoScript and Ghostery are FireGloves (randomizes information that could otherwise be used to generate a browser fingerprint) and Secret Agent (rotates your user agent string randomly using a customizable list ala the rotating license plates on the bond cars).

That's a good point. Browser fingerprinting can definitely improve the value of whatever other information they think that they have. However, even that can be defended against if one installs the proper extensions. My personal favorites, in addition to the usual trifecta of AdBlock, NoScript and Ghostery are FireGloves (randomizes information that could otherwise be used to generate a browser fingerprint) and Secret Agent (rotates your user agent string randomly using a customizable list ala the rotating license plates on the bond cars).

For opt-out cookies as a Firefox add-on, allowing cookies that never go away, check here:
https://addons.mozilla.org/en-US/firefox/addon/beef-taco-targeted-advertising/

Job done.

Except it's not even close to done. This protocol is far more secure than no security at all, but is vulnerable to a number of different attacks. If you think the solution is simple, it's because you don't really understand the scope of the problem.

1) How do you trust that the keys posted on the public key servers? Say I wanted to send you a message, How do I know that the key posted on the key server is in fact, from you? (See Certificate Authority) If a malicious party could intercept messages to you and decrypt them (using the bogus public/private key pair) and then re-encrypt the message to you using your formerly available public key, you'd receive the message and have no knowledge of the MITM attack.

2) Given today's environment for gag orders, how do I know that the Certificate Authority is trustworthy? (I don't) Thus, even when signed by a CA, I have little assurance that scenario #1 isn't happening even if protected by CA.

3) A simple DOS of the Key server will prevent anybody from knowing that you are, in fact, using a public key anyway.

4) Which of the numerous Key exchange protocols are YOU using to protect your email? Assume I'm a whistleblower and you are a media rep, and I have some important stuff that you should know. How am I supposed to discover which of the various security mechanisms that you are using? Publishing incorrect information about how you are securing your exchange allows for another type of MITM attack, even when you are doing everything right.

The reality is that the NSA's action and the USA's current legal structure create an environment where literally nothing can truly be trusted. As long as laws that allow for demanding information from a company in conjunction with a gag order preventing disclosure, we can literally not trust a single US Internet company with any type of cryptographic protection. Not just Google/Yahoo/Microsoft, but also any and all CAs, and anybody that depends on CAs to do their job.

So, use a CA from oversees, right? Not subject to US law? Sorry, but that doesn't do it either. Most browsers/email clients are configured with dozens to hundreds of "trusted" CAs. Somebody impersonating you only needs to get a public/private key signed by *any* "trusted" CA in order to not have your browser/email client complain about a MITM attack. In order to properly secure my web-based product with SSL, I not only have to ensure that I'm doing business with a secure CA, but I also have to ensure that every CA trusted by anybody, anywhere is similarly secured. Since there is no way to validate this, and laws exist that prohibit me from knowing if the CA's root key has been given to the NSA, I have no way to do this.

So, in reality, with the security mechanisms in place to protect trust on the Internet, we have an attack footprint that is long, wide, and deep. To call this situation "bad" is a tremendous understatement. The NSA and the United States government have eradicated any actual ability to trust anything online with the current infrastructure. Only with the addition of additional layers of "trustability" can we truly protect ourselves. Tools such as Certificate Patrol at least alert you when certificates change.

Does Jah-Wren Ryel work for the Times and is trying to increase subscription numbers? A link to a paywall is no citation whatever.

I use a combination of plugins that have the side-effect of making most paywalls disappear, I don't even know it is there.
I recommend you do it too:

CookieSaver Lite - Set to block the NYTimes cookies
RefControl - Set to spoof the referrer when reading all NYTimes pages as "http://google.com/"
NoScript - The NY Times does not need javascript for most pages. This may be optional for the NY Times but there are some paywalls like foreignpolicy.com that do rely on javascript.

FYI - the NY Times article is the definitive citation as they are the ones who broke the story.

Does Jah-Wren Ryel work for the Times and is trying to increase subscription numbers? A link to a paywall is no citation whatever.

I use a combination of plugins that have the side-effect of making most paywalls disappear, I don't even know it is there.
I recommend you do it too:

CookieSaver Lite - Set to block the NYTimes cookies
RefControl - Set to spoof the referrer when reading all NYTimes pages as "http://google.com/"
NoScript - The NY Times does not need javascript for most pages. This may be optional for the NY Times but there are some paywalls like foreignpolicy.com that do rely on javascript.

FYI - the NY Times article is the definitive citation as they are the ones who broke the story.

if ms' s compiler is freely available

When Mozilla Application Suite (now SeaMonkey) and Phoenix (now Mozilla Firefox) were first being developed, there was no such thing as Visual C++ Express.

then there's no obligation

There's no legal obligation. But requiring a paid compiler, as Mozilla did before Microsoft introduced Visual C++ Express, does shut out much of the public from participating.

plus the scripts used to control compilation and installation

I'm not so sure of the extent to which Microsoft allows Mozilla to distribute "the scripts used to control compilation and installation" of a Windows 8 style (formerly Metro) application such as Metro Firefox, especially when such "scripts" may include private code signing keys.

I realised I was wasting far too much time on Facebook a couple of years ago, along with other forums, and found it hard not to browse there - often, I found that I was just typing the URL without thinking about it, and loading the site without giving it any thought. A friend recommended BlockSite to me, and, whilst I felt a bit stupid at needing this crutch, I took it, and managed to get things back under control.

Just add in the URLs of the site in question, and it blocks access to the pages (and elements at those URLs from loading as part of other pages). Editing a hosts file is probably just as suitable, but this worked for me...

It's been in Firefox for a very long time. https://wiki.mozilla.org/Tabbed_Browsing/User_Interface_Design/Restoring_Closed_Tabs

try https://addons.mozilla.org/en-us/firefox/addon/textarea-cache/

* You don't have to install apps to use them.
* If they can pull off the update schedule (which they need to) it's going to be much better than Android for updates: https://blog.mozilla.org/futurereleases/2013/07/19/mozillas-heartbeat-quarterly-firefox-os-releases/
* We need at least one more Open phone option

If it's any consolation, "Seamonkey" is actually a compromise with PR:

Seamonkey (with lower-case m) has been the codename for the Mozilla Suite for some time, though it originally was invented by Netscape management as a codename for the release later called Netscape 6 — they simply needed a "politically correct" version of the codename Buttmonkey (symbolised as *~ and making a "rheet" sound) their developers had actually voted for (and apparently Jenga was the run-in in this voting).

(source)

I was wondering the same thing. A large percentage of sites point at at least one of google-analytics.com, googleadservices.com, *.googleapis.com (and likely others). An addon like RequestPolicy for Firefox lets you limit connections to 3rd party websites (and can be educational as well).

Perfect for Windows 8 then?

I have a convertible Windows 8 laptop, and Firefox needs some work, like the rest of the OS. See, for instance, this bug.

Also, the frigging laptop keeps locking the screen upside down and I have to keep unconverting it and reconverting carefully. Totally awesome.

Actually, it's been Fx since the name was created so many years ago. http://www.mozilla.org/en-US/firefox/releases/1.0.6.html#FAQ

Mozilla Corporation is a corporation. I don't see what that changes.

just download the latest tarball from mozilla and unpack it into a directory like /local or /opt, then run firefox/firefox on that path what's the big deal?

http://releases.mozilla.org/pub/mozilla.org/firefox/releases/

It's not like google could handle it either.

Yes they did. http://www.youtube.com/html5

Mozilla didn't find it too difficult either. https://addons.mozilla.org/en-us/firefox/addon/youtube-all-html5/

Face it, Microsoft are using their customers as tools to play spiteful games. They started by trying to disable adverts to deprive Google of the income from YouTube, now they've cooked up another nasty little scam to make an app that breaches Google's agreement with their clients.

Microsoft is a company that desperately needs some adult supervision.

Blocking third-party cookies, which I've done for years, isn't enough. You also need something like Abine's DoNotTrackMe, which blocks most of the known tracking sites. And you may have to go to the Flash preferences page and turn off some things there.

The BlockSite add-on for Firefox might seem useful, but it's spyware - it reports all your browsing activity to a site in the Czech Republic ("api.wips.com") If you don't "opt in", it won't let you visit major sites like Hotmail. That's acceptable to Mozilla's "Developer Relations Lead". Mozilla isn't as tough on privacy as their PR people say they are.

Blocking third-party cookies, which I've done for years, isn't enough. You also need something like Abine's DoNotTrackMe, which blocks most of the known tracking sites. And you may have to go to the Flash preferences page and turn off some things there.

The BlockSite add-on for Firefox might seem useful, but it's spyware - it reports all your browsing activity to a site in the Czech Republic ("api.wips.com") If you don't "opt in", it won't let you visit major sites like Hotmail. That's acceptable to Mozilla's "Developer Relations Lead". Mozilla isn't as tough on privacy as their PR people say they are.

Blocking third-party cookies, which I've done for years, isn't enough. You also need something like Abine's DoNotTrackMe, which blocks most of the known tracking sites. And you may have to go to the Flash preferences page and turn off some things there.

The BlockSite add-on for Firefox might seem useful, but it's spyware - it reports all your browsing activity to a site in the Czech Republic ("api.wips.com") If you don't "opt in", it won't let you visit major sites like Hotmail. That's acceptable to Mozilla's "Developer Relations Lead". Mozilla isn't as tough on privacy as their PR people say they are.

... does this mean I don't have to install AdBlock Plus, DoNotTrackMe, Ghostery, and NoScript Security Suite anymore?

Or should I keep them around?

... does this mean I don't have to install AdBlock Plus, DoNotTrackMe, Ghostery, and NoScript Security Suite anymore?

Or should I keep them around?

... does this mean I don't have to install AdBlock Plus, DoNotTrackMe, Ghostery, and NoScript Security Suite anymore?

Or should I keep them around?

... does this mean I don't have to install AdBlock Plus, DoNotTrackMe, Ghostery, and NoScript Security Suite anymore?

Or should I keep them around?

I assume Netscape Portable Runtime isn't also NeXTstep or NeXT/Sun. The name dates back to a company bought by AOL that handed off development of Mozilla to Mozilla Foundation. Have there been namespace clashes over this?

Firefox is just an open source browser. If you don't like what they are doing, make a fork called Ad-Fox.
Here:
https://developer.mozilla.org/en-US/docs/Developer_Guide/Source_Code/Mercurial

Well, you can use my addon as a starting point if you wish.

I do include AES and DES encryption there, so both sides need a password, but it can be modified to add other forms of encryption fairly easily.

I'm on the verge of installing this Enigmail addon for Thunderbird, however as Thunderbird still uses my web based mail provider it will still show who it's too and from etc, does anyone know of a completely peer to peer e-mail system which could get around this?

You trust Mozilla even though they want to build aggregating and selling your browsing history and "interests" (derived from the contents of the pages you visit) into the Firefox browser?

Maybe browsers should come with such a feature by default, with the possibility to disable it if/when you want. There's at least one Firefox add-on that does something similar (random searches on main search engines).

Firefox doesn't use keychain access on Mac. It uses its own password store, encrypted with its own master password. That's why https://bugzilla.mozilla.org/show_bug.cgi?id=106400 is still open.

Likewise on Windows, last I checked.

I haven't checked recently whether Firefox use gnome-keyring on Gnome, but based on past code inspection I rather doubt it.

So set a Master Password: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
More here: http://kb.mozillazine.org/Master_password

Almost no users actually use this: http://monica-at-mozilla.blogspot.com/2013/02/cant-live-with-them-cant-live-without.html
"....can be solved somewhat with master password, but only 1 out of 12K users had master password enabled"

I also discovered this today. Fortunately, there is already an add-on to restore the old functionality.

As far as I can tell, the only major browser that allows you to hide the tab bar, when only one tab is shown, is SeaMonkey. The latest versions of Chrome, Opera, Firefox, and IE force you to show the tab bar at all times.

understandable, having set your search engine, it reverts back to some other one depending which box you type into... I can see why they did this. I can also see why they won't revert it as you can already use keywords (scroll down) to specify which engine to use.

I guess nobody really cared when it was first set like that because the default was Google.. imagine the outcry if it was Bing that got searched if you used the address bar!

You can download Firefox for Android right here: http://ftp.mozilla.org/pub/mozilla.org/mobile/releases/23.0/android/

Here is the bug in question. Note that there is a bit of dissent in a few of the comments....

https://bugzilla.mozilla.org/show_bug.cgi?id=855370

Here is the whole story:

https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

Just sharing the love (or the protection from decisions for the sake of everyone): this extension apparently allows you to hide the tab bar complete (didn't check), and this hiding the tab bar when single-tab browsing.

And wasn't it Mozilla who complained that the main reason Firefox ate up so much memory was because people were running 'too many addons'? It seems we're nearing a point where Firefox is only an addon manager, and all the functionality is addon based.

This removal of features is getting extremely irritating, I want to customize my browser to look the way I want it to, not some dev, not some group of self-proclaimed experts. If I wanted lack of choice I'd be using IE or Chrome. What worries me is that fact that the new UI 'upgrade' (aka Australis) looks almost exactly like Chrome. I have a feeling once it oozes from the ground and smears itself all over the interface even more addons will be necessary to restore the classic look and feel.

Just sharing the love (or the protection from decisions for the sake of everyone): this extension apparently allows you to hide the tab bar complete (didn't check), and this hiding the tab bar when single-tab browsing.

And wasn't it Mozilla who complained that the main reason Firefox ate up so much memory was because people were running 'too many addons'? It seems we're nearing a point where Firefox is only an addon manager, and all the functionality is addon based.

This removal of features is getting extremely irritating, I want to customize my browser to look the way I want it to, not some dev, not some group of self-proclaimed experts. If I wanted lack of choice I'd be using IE or Chrome. What worries me is that fact that the new UI 'upgrade' (aka Australis) looks almost exactly like Chrome. I have a feeling once it oozes from the ground and smears itself all over the interface even more addons will be necessary to restore the classic look and feel.

Seems that the mozilla devs have refused to revert back to the previous behavior:

https://bugzilla.mozilla.org/show_bug.cgi?id=890890

The Social Media API isn't a Facebook only thing. It can be used with any site.

For example here Ericsson demonstrates how WebRTC and Social Media API can be combined to be the corporate "unified communications" system (PBX, chat, whatever):

https://blog.mozilla.org/blog/2013/02/24/webrtc-ringing-a-mobile-phone-near-you/

Just sharing the love (or the protection from decisions for the sake of everyone): this extension apparently allows you to hide the tab bar complete (didn't check), and this hiding the tab bar when single-tab browsing.

Just sharing the love (or the protection from decisions for the sake of everyone): this extension apparently allows you to hide the tab bar complete (didn't check), and this hiding the tab bar when single-tab browsing.