Slashdot Mirror

In a world increasingly dominated by the cloud, privacy is often sacrificed for convenience. Imagine a world where you could use cloud services without allowing the provider to read your data. Author of Cryptocat (a browser-based secure chat system) Nadim Kobeissi shared the problems he faced developing Cryptocat, his solutions, and future of client-side cryptography. Read on for more.

Update: 07/18 03:48 GMT by U L : Slides (PDF) from and video of the talk are now online.

Despite giving workshops on Off- the-Record messaging to Middle Eastern Activists, Kobeissi found that adoption was low because of the complexity of installing new chat software, plugins, generating keys, verifying your friends, etc. Especially when the person on the other end had not been taught how to use OTR. At the end of the talk he gave some reasons why North American users may find it easier: we develop this software and export it so we have a community of developers available for support, whereas in the Middle East this is foreign software lacking context.

Since he was interested in client-side cryptography and there was a clear problem getting people to securely communicate, he set out to experiment with the former while solving the latter. He identified several problems thwarting success:

• Code delivery is insecure (will it be intercepted and modified? Can you trust the original server?). Compounding this, code in browsers is ephemeral, making it nigh impossible to trust.
• The JavaScript random number generator, while fine for most uses, is not good enough for encryption (its only seed is the current time, making it vulnerable to attack).
• There are no standardized primitives for working with cryptography algorithms in JavaScript, and libraries available at the time were not very good.
• Browser sandboxing was often incomplete and exploitable (a situation which has improved, but new bugs are still occasionally found). If the sandbox breaks, all bets are off.

To each problem there is a solution. For code delivery, Chrome apps proved ideal. There are interesting client side security features, bundles can be signed, sandboxing is effective (aside from the occasional convoluted exploit), and you only have to verify the source once. For encryption, he developed his own implementation of the Fortuna CSPRNG and several cryptography primitives in JavaScript, using keypress timing, mouse movement, window position, etc. for entropy (on mobile devices, the accelerometer has proven useful). Chrome later added their own implementation (which has access to the system entropy source) with Firefox support coming soon.

But where to go from here?

We need an API for transparent encryption: it should be as enforceable and easy as https. We need a full crypto toolkit in the browser, protected key storage (the author suggested protected JavaScript variables), OpenSSL compatibility (certificate formats, not the horrendous C API). And we need secure communications usable by mere mortals.

The W3C formed a web cryptography working group six months ago, with a specification due in 18 months.

Working with the Guardian project, the Cryptocat developers hope to introduce AweSoMe (always secure messaging), which aims to build a suite of utilities for easy and secure messaging (guaranteed message delivery, verifiable end-to-end encryption, and control over logging).

Development of Cryptocat2 is in progress, using XMPP rather than their experimental protocol, and mpOTR which extends OTR with group chat features and newer ciphers. The specification is half complete, and contributions were encouraged.

Although secure chat for the masses is being worked on, there is still much work to be done on securely storing data in the cloud. Luckily, the lessons learned developing Cryptocat will apply to future projects.

StormDriver writes "Firefox 15 has hit the Mozilla pre-beta Aurora channel, and it features a redesigned, built-in debugger." The original weblog post has more. Thanks to improved debugger internals in SpiderMonkey, supposedly code should run just as fast with debugging enabled as without (ever try loading Slashdot with firebug accidentally enabled?). There are also new tools for testing mobile layouts from the comfort of your workstation, and the debugger can attach to remote processes (Something Emacs users have enjoyed for years now, albeit in a hackish manner and without support for mobile Firefox).

StormDriver writes "Firefox 15 has hit the Mozilla pre-beta Aurora channel, and it features a redesigned, built-in debugger." The original weblog post has more. Thanks to improved debugger internals in SpiderMonkey, supposedly code should run just as fast with debugging enabled as without (ever try loading Slashdot with firebug accidentally enabled?). There are also new tools for testing mobile layouts from the comfort of your workstation, and the debugger can attach to remote processes (Something Emacs users have enjoyed for years now, albeit in a hackish manner and without support for mobile Firefox).

StormDriver writes "Firefox 15 has hit the Mozilla pre-beta Aurora channel, and it features a redesigned, built-in debugger." The original weblog post has more. Thanks to improved debugger internals in SpiderMonkey, supposedly code should run just as fast with debugging enabled as without (ever try loading Slashdot with firebug accidentally enabled?). There are also new tools for testing mobile layouts from the comfort of your workstation, and the debugger can attach to remote processes (Something Emacs users have enjoyed for years now, albeit in a hackish manner and without support for mobile Firefox).

judgecorp writes "The first devices running Firefox Mobile OS, originally known as Boot to Gecko, have been announced. TCL and ZTE are making the phones, which will show up on Brazil's Telefonica Vivo network. Other operators are planning to give the phones a try. From their blog: 'Device manufacturers TCL Communication Technology (under the Alcatel One Touch brand) and ZTE today announced their intentions to manufacture the first devices to feature the new Firefox OS, using Snapdragon processors from Qualcomm Incorporated, the leader in smartphone platforms. The first Firefox OS powered devices are expected to launch commercially in Brazil in early 2013 through Telefónica’s commercial brand, Vivo.'"

The Verge reports that Mozilla last week showed off a prototype browser built for the iPad called Junior, based on a simplified interface and gesture-based controls. Junior — remember, not a shipping product — is full-screen, and lacks tabs; most controls are off-screen until called up with an on-screen button, to emphasize whatever page is loaded. See the video demo for an idea of what Junior is like in use.

MrSeb writes "Mozilla has officially released Firefox 13. Unlike Firefox 12 (or 11, or 10, or indeed many of the recent Firefox versions), Firefox 13 is an important release with a handful of much-needed features that are long overdue. There's a new New Tab Page launcher, with your favorite and most-used websites, and a new default home page with one-click access to Bookmarks, Settings, Add-ons, etc. SPDY is on by default, too, which should help ameliorate the perceived speed difference between Chrome and Firefox. Finally, the developer tools (Page Inspector, Style Inspector, etc.) have been tweaked and updated!"

MrSeb writes "Mozilla has officially released Firefox 13. Unlike Firefox 12 (or 11, or 10, or indeed many of the recent Firefox versions), Firefox 13 is an important release with a handful of much-needed features that are long overdue. There's a new New Tab Page launcher, with your favorite and most-used websites, and a new default home page with one-click access to Bookmarks, Settings, Add-ons, etc. SPDY is on by default, too, which should help ameliorate the perceived speed difference between Chrome and Firefox. Finally, the developer tools (Page Inspector, Style Inspector, etc.) have been tweaked and updated!"

bonch writes "Mozilla has announced Webmaker, a web development initiative aimed at teaching the average user the building blocks of the web. Users can join a 'code party' and learn web development with provided authoring tools, and existing developers can volunteer to run their own events. To kick it off, Mozilla is announcing the Summer Code Party starting June 23."

bonch writes "Mozilla has announced Webmaker, a web development initiative aimed at teaching the average user the building blocks of the web. Users can join a 'code party' and learn web development with provided authoring tools, and existing developers can volunteer to run their own events. To kick it off, Mozilla is announcing the Summer Code Party starting June 23."

Mozilla has announced the availability of a new beta version of Firefox for Android. The release notes list many of the new features and fixes, which include Flash support, improvements to panning and zooming, plugins loading only on touch, and a new "Awesome Screen." They point out that many Android phones are supported, and that a beta version for tablets will be coming soon. Mozilla is asking for help "testing everything from the faster startup and response times to compatibility for specific websites and graphics performance." Here's the download page.

Mozilla has announced the availability of a new beta version of Firefox for Android. The release notes list many of the new features and fixes, which include Flash support, improvements to panning and zooming, plugins loading only on touch, and a new "Awesome Screen." They point out that many Android phones are supported, and that a beta version for tablets will be coming soon. Mozilla is asking for help "testing everything from the faster startup and response times to compatibility for specific websites and graphics performance." Here's the download page.

Mozilla has announced the availability of a new beta version of Firefox for Android. The release notes list many of the new features and fixes, which include Flash support, improvements to panning and zooming, plugins loading only on touch, and a new "Awesome Screen." They point out that many Android phones are supported, and that a beta version for tablets will be coming soon. Mozilla is asking for help "testing everything from the faster startup and response times to compatibility for specific websites and graphics performance." Here's the download page.

darthcamaro writes "Guess What? Linux is not a primary platform for Mozilla. For Mozilla's upcoming Web Apps marketplace, Linux support is not part of the initial release. Some Mozilla developers simply are shrugging this off as Windows and Mac dominate the Mozilla user landscape today."

A mere year since the Mediagoblin photo/video sharing project was started, the project has hit version 0.3.0. Release highlights include: a rewrite of the database from MongoDB to SQL (via SQLAlchemy, making it much easier to install), audio support (using the HTML5 <audio> tag), a first take on a mobile interface, and smarter video buffering. Not content to sit idle, the developers are starting work on Salmon protocol support to federate with software like Diaspora in the next release.

MrSeb writes "Firefox 12 has been officially released, with only one major new feature: A silent, background updater. Now you will have to approve the Firefox Software Updater when you first install Firefox, but after that the browser will update silently — just like Chrome. In other news, the Find feature now reliably centers the page on any matches — hooray!" Here are the release notes, the list of bug fixes, and the download page.

MrSeb writes "Firefox 12 has been officially released, with only one major new feature: A silent, background updater. Now you will have to approve the Firefox Software Updater when you first install Firefox, but after that the browser will update silently — just like Chrome. In other news, the Find feature now reliably centers the page on any matches — hooray!" Here are the release notes, the list of bug fixes, and the download page.

MrSeb writes "Firefox 12 has been officially released, with only one major new feature: A silent, background updater. Now you will have to approve the Firefox Software Updater when you first install Firefox, but after that the browser will update silently — just like Chrome. In other news, the Find feature now reliably centers the page on any matches — hooray!" Here are the release notes, the list of bug fixes, and the download page.

MrSeb writes "Firefox 12 has been officially released, with only one major new feature: A silent, background updater. Now you will have to approve the Firefox Software Updater when you first install Firefox, but after that the browser will update silently — just like Chrome. In other news, the Find feature now reliably centers the page on any matches — hooray!" Here are the release notes, the list of bug fixes, and the download page.

An anonymous reader writes "The Guardian newspaper has teamed up with Mozilla to research the monitoring of online behavior through cookies and other web trackers. After downloading the Collusion add-on for Firefox, you can generate a visual representation of all the cookies that have been downloaded which are linked to the sites you have visited. This shows quite an interesting picture. The Guardian staff then want the data from Collusion to be uploaded to their site, after which they say 'we can build up a picture of this unseen world. When we've found the biggest players, we'll start tracking them back — finding out what data are they monitoring, and why.'"

In order to provide an alternative to IE on Windows 8, Firefox needs a Metro UI. Luckily, development of a Metro interface for Firefox is well underway. The current build reuses the Android interface XUL (by virtue of being based on Fennec). The latest test release features lots of platform integration support: "We have Metro snap working, you can snap another Metro app to the right or left of Firefox and continue browsing. We also have HTML file input controls tied up to the Metro file picker. ... implemented the Windows 8 search contract, you can use the Search Charm from any screen on Windows 8. If you enter a URL, it will be loaded. If you enter anything else, it will be searched in your default search engine. We also implemented the Windows 8 share contract, you can use the Share Charm from any Firefox page to share that page to another application. Once you select the Share Charm it will list the applications you can share to, for example: Mail, Twitter, or Facebook." If you're interested in following development, the team has made a Mercurial repository available. Further background is provided by the first and second posts in the series.

In order to provide an alternative to IE on Windows 8, Firefox needs a Metro UI. Luckily, development of a Metro interface for Firefox is well underway. The current build reuses the Android interface XUL (by virtue of being based on Fennec). The latest test release features lots of platform integration support: "We have Metro snap working, you can snap another Metro app to the right or left of Firefox and continue browsing. We also have HTML file input controls tied up to the Metro file picker. ... implemented the Windows 8 search contract, you can use the Search Charm from any screen on Windows 8. If you enter a URL, it will be loaded. If you enter anything else, it will be searched in your default search engine. We also implemented the Windows 8 share contract, you can use the Share Charm from any Firefox page to share that page to another application. Once you select the Share Charm it will list the applications you can share to, for example: Mail, Twitter, or Facebook." If you're interested in following development, the team has made a Mercurial repository available. Further background is provided by the first and second posts in the series.

New submitter rasmuswikman sends this quote from an announcement at hacks.mozilla.org: "BrowserQuest is a tribute to classic video-games with a multiplayer twist. You play as a young warrior driven by the thrill of adventure. No princess to save here, just a dangerous world filled with treasures to discover. And it's all done in glorious HTML5 and JavaScript. Even better, it's open-source, so be sure to check out the source code on GitHub!"

suraj.sun writes with a followup to last week's news that Mozilla was thinking about reversing their stance on H.264 support. Mozilla chairman Mitchell Baker and CTO Brendan Eich have now both written blog posts explaining why they feel H.264 support is no longer optional. Eich wrote, "We will not require anyone to pay for Firefox. We will not burden our downstream source redistributors with royalty fees. We may have to continue to fall back on Flash on some desktop OSes. I’ll write more when I know more about desktop H.264, specifically on Windows XP. What I do know for certain is this: H.264 is absolutely required right now to compete on mobile. I do not believe that we can reject H.264 content in Firefox on Android or in B2G and survive the shift to mobile. Losing a battle is a bitter experience. I won’t sugar-coat this pill. But we must swallow it if we are to succeed in our mobile initiatives. Failure on mobile is too likely to consign Mozilla to decline and irrelevance." Baker added, "Our first approach at bringing open codecs to the Web has ended up at an impasse on mobile, but we’re not done yet. ... We'll find a way around this impasse."

ekimd writes "Adobe has anounced their plans to abandon future updates of their Flash player for Linux. Partnering with Google, after the release of 11.2, 'the Flash Player browser plugin for Linux will only be available via the 'Pepper' API as part of the Google Chrome browser distribution and will no longer be available as a direct download from Adobe.' Viva la HTML 5!" And it appears that Mozilla won't be implementing Pepper anytime soon.

itwbennett writes "In its 2012 roadmap, the Mozilla Foundation highlights plans to create its own soup-to-nuts mobile platform, known as Boot to Gecko. With this move, the Mozilla Foundation 'is finally shaking off its dependence on browser revenues and treading where Google, with ChromeOS; Canonical, with Unity on Ubuntu; and (most recently) the Plasma community's Spark tablet have already started: the creation of standards-based platforms that rely on robust web applications (in varying degrees) more than native-run apps to provide the user experience,' writes blogger Brian Proffitt. 'I very much think that we are heading for a time when Linux flavors will be identified by environments, not distributions.'"

eldavojohn writes "Describing Notifications as 'somewhere between email and IM,' Mozilla has announced this push technology as a way to receive notifications from websites without having to keep them open in your browser — as well as receiving them on your mobile device. A JavaScript API reveals early interface ideas by the team. This core concept is not new — both Google and Apple have their own push notification systems for Android and iOS respectively. However, 'It's important to note that this push notification system is distinct from the existing desktop notification mechanisms that are already defined in pending standards. The desktop notifications that websites like GMail and Seesmic Web display to Chrome users, for example, will only work when the website is left open in a tab. Mozilla's push notification system moves beyond that limitation.' Mozilla is attempting to take push notifications to the entire web for any website to use."

eldavojohn writes "Describing Notifications as 'somewhere between email and IM,' Mozilla has announced this push technology as a way to receive notifications from websites without having to keep them open in your browser — as well as receiving them on your mobile device. A JavaScript API reveals early interface ideas by the team. This core concept is not new — both Google and Apple have their own push notification systems for Android and iOS respectively. However, 'It's important to note that this push notification system is distinct from the existing desktop notification mechanisms that are already defined in pending standards. The desktop notifications that websites like GMail and Seesmic Web display to Chrome users, for example, will only work when the website is left open in a tab. Mozilla's push notification system moves beyond that limitation.' Mozilla is attempting to take push notifications to the entire web for any website to use."

Taco Cowboy writes "It's time to upgrade again. Firefox 10 is out and here's a list of bugs fixed in the new version."

Taco Cowboy writes "It's time to upgrade again. Firefox 10 is out and here's a list of bugs fixed in the new version."

brothke writes "In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience." Read below for Ben's review. The Tangled Web: A Guide to Securing Modern Web Applications author Michal Zalewski pages 320 publisher No Starch Press rating 10/10 reviewer Ben Rothke ISBN 1593273886 summary Incredibly good and highly technical book on browser security coding In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web;namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheetthat details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, this is a book they should read.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Tangled Web: A Guide to Securing Modern Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

An anonymous reader writes with news about work on Mozilla's Javascript engine. Quoting Mozilla engineer Luke Wagner's blog: "With web workers in separate runtimes, there were no significant multi-threaded runtime uses remaining. Furthermore, to achieve single-threaded compartments, the platform features that allowed JS to easily ship a closure off to another thread had been removed since closures fundamentally carry with them a reference to their original enclosing scope. Even non-Mozilla SpiderMonkey embeddings had reportedly experienced problems that pushed them toward a similar shared-nothing design. Thus, there was little reason to maintain the non-trivial complexity caused by multi-threading support. There are a lot of things that 'would be nice' but what pushed us over the edge is that a single-threaded runtime allows us to hoist a lot data currently stored per-compartment into the runtime. This provides immediate memory savings."

Skuto writes "At yesterdays linux.conf.au Browser miniconference in Ballarat, Australia, Mozilla engineer Nicholas Nethercote gave a detailed presentation about the history of Firefox's memory consumption. The 37 slides-with-notes explain in gritty detail what caused Firefox 4's memory usage to be higher than expected, how many leaks and accidental memory use bugs were tracked down with Valgrind plugins, as well as the pitfalls of common memory allocation strategies. Current work is now focused on reducing the memory usage of popular add-ons such as AdBlock, GreaseMonkey and Firebug. Required reading for people working on large software projects, or those who missed that Firefox is now one of the most memory-efficient browsers in heavy usage."

Skuto writes "At yesterdays linux.conf.au Browser miniconference in Ballarat, Australia, Mozilla engineer Nicholas Nethercote gave a detailed presentation about the history of Firefox's memory consumption. The 37 slides-with-notes explain in gritty detail what caused Firefox 4's memory usage to be higher than expected, how many leaks and accidental memory use bugs were tracked down with Valgrind plugins, as well as the pitfalls of common memory allocation strategies. Current work is now focused on reducing the memory usage of popular add-ons such as AdBlock, GreaseMonkey and Firebug. Required reading for people working on large software projects, or those who missed that Firefox is now one of the most memory-efficient browsers in heavy usage."

Skuto writes "At yesterdays linux.conf.au Browser miniconference in Ballarat, Australia, Mozilla engineer Nicholas Nethercote gave a detailed presentation about the history of Firefox's memory consumption. The 37 slides-with-notes explain in gritty detail what caused Firefox 4's memory usage to be higher than expected, how many leaks and accidental memory use bugs were tracked down with Valgrind plugins, as well as the pitfalls of common memory allocation strategies. Current work is now focused on reducing the memory usage of popular add-ons such as AdBlock, GreaseMonkey and Firebug. Required reading for people working on large software projects, or those who missed that Firefox is now one of the most memory-efficient browsers in heavy usage."

Skuto writes "At yesterdays linux.conf.au Browser miniconference in Ballarat, Australia, Mozilla engineer Nicholas Nethercote gave a detailed presentation about the history of Firefox's memory consumption. The 37 slides-with-notes explain in gritty detail what caused Firefox 4's memory usage to be higher than expected, how many leaks and accidental memory use bugs were tracked down with Valgrind plugins, as well as the pitfalls of common memory allocation strategies. Current work is now focused on reducing the memory usage of popular add-ons such as AdBlock, GreaseMonkey and Firebug. Required reading for people working on large software projects, or those who missed that Firefox is now one of the most memory-efficient browsers in heavy usage."

Skuto writes "At yesterdays linux.conf.au Browser miniconference in Ballarat, Australia, Mozilla engineer Nicholas Nethercote gave a detailed presentation about the history of Firefox's memory consumption. The 37 slides-with-notes explain in gritty detail what caused Firefox 4's memory usage to be higher than expected, how many leaks and accidental memory use bugs were tracked down with Valgrind plugins, as well as the pitfalls of common memory allocation strategies. Current work is now focused on reducing the memory usage of popular add-ons such as AdBlock, GreaseMonkey and Firebug. Required reading for people working on large software projects, or those who missed that Firefox is now one of the most memory-efficient browsers in heavy usage."

mvar writes "After a meeting held last Monday regarding Mozilla Firefox Extended Support Release, the new version was announced yesterday in a post on Mozilla's official blog: 'We are pleased to announce that the proposal for an Extended Support Release (ESR) of Firefox is now a plan of action. The ESR version of Firefox is for use by enterprises, public institutions, universities, and other organizations that centrally manage their Firefox deployments. Releases of the ESR will occur once a year, providing these organizations with a version of Firefox that receives security updates but does not make changes to the Web or Firefox Add-ons platform.'"

mvar writes "After a meeting held last Monday regarding Mozilla Firefox Extended Support Release, the new version was announced yesterday in a post on Mozilla's official blog: 'We are pleased to announce that the proposal for an Extended Support Release (ESR) of Firefox is now a plan of action. The ESR version of Firefox is for use by enterprises, public institutions, universities, and other organizations that centrally manage their Firefox deployments. Releases of the ESR will occur once a year, providing these organizations with a version of Firefox that receives security updates but does not make changes to the Web or Firefox Add-ons platform.'"

revealingheart writes "Mozilla has announced the release of the Mozilla Public License 2.0. The new version provides for compatibility with the Apache and GPL licenses, improved patent protections and recent changes in copyright law. The full license text is available online. Mozilla has updated their wiki with plans to upgrade their codebase; Bugzilla has also said that they will update (with an exemption to keep the project MPL only). The MPL was previously incompatible with other copyleft licenses like the GPL. The new version is compatible (unless exempted) and doesn't require multiple licenses (as currently stands with Firefox and Thunderbird). This will allow Mozilla to incorporate Apache-licensed code; but will mean that their software becomes incompatible with GPL2 code."

revealingheart writes "Mozilla has announced the release of the Mozilla Public License 2.0. The new version provides for compatibility with the Apache and GPL licenses, improved patent protections and recent changes in copyright law. The full license text is available online. Mozilla has updated their wiki with plans to upgrade their codebase; Bugzilla has also said that they will update (with an exemption to keep the project MPL only). The MPL was previously incompatible with other copyleft licenses like the GPL. The new version is compatible (unless exempted) and doesn't require multiple licenses (as currently stands with Firefox and Thunderbird). This will allow Mozilla to incorporate Apache-licensed code; but will mean that their software becomes incompatible with GPL2 code."

revealingheart writes "Mozilla has announced the release of the Mozilla Public License 2.0. The new version provides for compatibility with the Apache and GPL licenses, improved patent protections and recent changes in copyright law. The full license text is available online. Mozilla has updated their wiki with plans to upgrade their codebase; Bugzilla has also said that they will update (with an exemption to keep the project MPL only). The MPL was previously incompatible with other copyleft licenses like the GPL. The new version is compatible (unless exempted) and doesn't require multiple licenses (as currently stands with Firefox and Thunderbird). This will allow Mozilla to incorporate Apache-licensed code; but will mean that their software becomes incompatible with GPL2 code."

revealingheart writes "Mozilla has announced the release of the Mozilla Public License 2.0. The new version provides for compatibility with the Apache and GPL licenses, improved patent protections and recent changes in copyright law. The full license text is available online. Mozilla has updated their wiki with plans to upgrade their codebase; Bugzilla has also said that they will update (with an exemption to keep the project MPL only). The MPL was previously incompatible with other copyleft licenses like the GPL. The new version is compatible (unless exempted) and doesn't require multiple licenses (as currently stands with Firefox and Thunderbird). This will allow Mozilla to incorporate Apache-licensed code; but will mean that their software becomes incompatible with GPL2 code."

An anonymous reader writes "Mozilla for some time after switching to the rapid release process talked about releasing Extended Support Releases that would give companies and organizations some breathing space in the race to test and deploy new browser versions. With the first ESR release (which will be Firefox 10), comes the Firefox 3.6 end of life announcement. Firefox 3.6 users will receive update notifications in April to update the browser to the latest stable version by then."

MrSeb writes "Firefox 9 is now available — but unlike its previous rapid release forebears where not a lot changed, a huge feature has landed with the new version: the JavaScript engine now has type inference enabled. This simple switch has resulted in a 20-30% JS execution speed increase (PDF), putting JaegerMonkey back in line with Chrome's V8 engine, and even pulling ahead in some cases. If you switched away from Firefox to IE or Chrome for improved JS performance, now is probably the time to give Firefox another shot."

MrSeb writes "Firefox 9 is now available — but unlike its previous rapid release forebears where not a lot changed, a huge feature has landed with the new version: the JavaScript engine now has type inference enabled. This simple switch has resulted in a 20-30% JS execution speed increase (PDF), putting JaegerMonkey back in line with Chrome's V8 engine, and even pulling ahead in some cases. If you switched away from Firefox to IE or Chrome for improved JS performance, now is probably the time to give Firefox another shot."

MrSeb writes "Firefox 9 is now available — but unlike its previous rapid release forebears where not a lot changed, a huge feature has landed with the new version: the JavaScript engine now has type inference enabled. This simple switch has resulted in a 20-30% JS execution speed increase (PDF), putting JaegerMonkey back in line with Chrome's V8 engine, and even pulling ahead in some cases. If you switched away from Firefox to IE or Chrome for improved JS performance, now is probably the time to give Firefox another shot."

An anonymous reader writes "Firefox has gotten so large that it cannot be compiled with PGO on a 32-bit linker anymore, due to the virtual memory limitation of 3 GB. This problem had happened last year with 2 GB, which was worked around by adding a/3GB switch to the Windows build servers. Now the problem is back, and things aren't quite that simple anymore." This only affects the inbound branch, but from the looks of it new code is no longer being accepted until they can trim things from the build to make it work again. The long term solution is to build the 32-bit binaries on a 64-bit system.

Michael J. Ross writes "Web designers and developers alike are increasingly enthused about the capabilities offered by HTML5, which is generally considered the combination of the latest version of the Web's primary markup language and its related technologies. Consequently, publishers have rushed to market a wide variety of books that purport to explore the inner mysteries of HTML5, even as the standards — and how browsers implement them — are still in flux. In characteristic fashion, O'Reilly Media took the time to wait for some of the dust to settle, and attempted to create a resource more approachable and solid than those thrown together quickly. The final result is Head First HTML5 Programming." Read on for the rest of Michael's review. Head First HTML5 Programming author Eric Freeman and Elisabeth Robson pages 608 pages publisher O'Reilly Media rating 7/10 reviewer Michael J. Ross ISBN 978-1449390549 summary A heavily-illustrated introduction to building web pages and web apps with HTML5. The release of this book is quite timely, given the current developments in web technologies. As one of the underpinning components, HyperText Markup Language (HTML) has undergone tremendous change during its two-decade history — with new element names and attributes being added to try to keep up with the latest multimedia formats, design techniques, and other factors in the Internet's evolution. Even though this newest major revision, HTML5, is still not completely supported by most browsers, much of its capabilities are already available, to one extent or another. Also, forward-thinking designers and developers are not waiting for the final blessing by the W3C to begin learning what they can do with it now and in the future.

This book was written by Eric Freeman and Elisabeth Robson, both of whom possess a lot of experience with the subject matter. This title was released on 18 October 2011, under the ISBN 978-1449390549. Its considerable size, 608 pages, is partly due to the extensive use of humorous pictures, actors, scenarios, clever drawings, and a generous use of whitespace — characteristic of other titles in the Head First series. At first glance, these elements might seem like cartoonish gimmicks, meant only to boost the page count or keep graphics employees busy. Actually, these methods are intended to help readers retain the new knowledge, and make the learning process more pleasant. This approach is covered in more detail in the book's introduction.

The material is organized into ten chapters, followed by an appendix. The only technical prerequisite, for prospective readers to get the most out of the book, is a solid understanding of HTML and CSS. Some JavaScript knowledge would be helpful, but is not necessary. On the publisher's page, visitors will find more details about the book, a couple reader reviews, some brief author bios, links to purchase the print and electronic versions (PDF is the only format), and the reported errata (of which there are eight, as of this writing). The example code and other files for the book can be obtained from WickedlySmart.

The first chapter introduces HTML5, at a high level and a fast pace, focusing on the new features that it offers, such as the new JavaScript APIs: embedded video and audio (without the use of plug-ins), client-side data storage, off-line web apps and caching, geolocation, canvases, sockets, Web Workers, and advanced capabilities for forms and drag-and-drop. JavaScript is also introduced, with some simple example code. Much more detail is presented in the subsequent chapter. The only confusing point is, on page 53, when the authors state that there are three different ways to add JavaScript code to a web page, but the figure shows four permutations. The third chapter explains how to work with events and handlers, using a simple music playlist app to illustrate the ideas. In the subsequent chapter, functions and objects are explored in much greater detail, and the presentation is quite methodical and comprehensible.

With Chapter 5, "Geolocation," the authors shift from establishing a foundation of basic JavaScript knowledge, to showing how to apply it for constructing web applications. In the case of geolocation, readers are stepped through the process of building a simple web app that detects the user's current position, displays it on a Google map, and tracks any changes in the position. The next chapter shows how to make one's code work with web services, using the JavaScript communication APIs, and why JSONP bypasses the problems with XMLHttpRequest requests being blocked for security reasons by the JavaScript same-origin policy. The presentation is solid, except for the claim on page 257 that the callback receives an object, when actually it receives an array of objects. Chapter 7 explicates the new canvas element, which offers capabilities encroaching upon the realm of Adobe's Flash. The next chapter, titled "Video," is a logical continuation of the discussion on the canvas element, because the latter allows one to do a lot more with the video API. The authors demonstrate how to do that, after discussing the different video formats and techniques for writing robust HTML to accommodate as many brands and versions of browsers as possible.

HTML5 has taken the venerable browser cookie, and extended its storage capacity tremendously, in the form of the local storage API (a.k.a. "Web Storage"), which is addressed in the penultimate chapter. Sadly, no troubleshooting information is provided in case the reader finds that the example code does not work in Firefox, even when using a web server (i.e., "http://" instead of "file://") — and instead fails quietly with an error message "localStorage is null" in the JavaScript error console. (For those who are interested, one source of the problem is when the Firefox configuration preference "dom.storage.enabled" has somehow been set to "false.") The tenth and final chapter, "Web Workers," shows how to utilize multithreading in JavaScript code to improve its performance, when possible. Readers using Firefox 8.0 (the latest version as of this writing) will likely find that the example code does not work on a localhost, throwing a "Could not get domain" error message, as a result of a known bug. The appendix briefly covers ten additional topics not discussed in the chapters, including Modernizr, the audio element, jQuery, XHTML, SVG, and more.

With a book this size, it is inevitable that it will contain various blemishes. Some of them are a result of the book production process: In the text, JavaScript tokens are not distinguished from English words in any manner (such as a monospace font or bolding), which can trip up the reader. On some of the two-page spreads, the portions of the images and arrows get lost in the book's gutter. In the many illustrations involving one or more persons saying something, their statements are shown in thought bubbles, which is mildly but invariably disconcerting. Other flaws are results of the writing and/or editing: Commas are oftentimes used where semicolons or periods were called for, or just missing altogether — especially in the mock interviews. Sometimes the conversational style — characteristic of the Head First series — becomes a bit too casual, and in some places the authors are trying too hard, such as the repeated use of "skool."

The example code is generally of good quality, but not always consistent; for instance, is employed in some places, but elsewhere — leaving the reader to wonder why. Also, there's at least one case of (incorrect) curly quotes in the code (page 454). It is helpful to have the example code available for download, although it would have been decidedly better had the root directory of the archive file contain an index.html pointing to all of the included apps, so readers could bookmark that single starting point, rather than having to modify their browser's URL each time. In addition, it is oftentimes not obvious as to which chapter subdirectory corresponds to any given location in the book.

However, the main problem with this book is the sloppy editing, evidenced by the notably high number of errata: "pin point" (page xiv), "test editor" (xxii; should read "text editor"), "iPhone" (xxv; should read "HTML5" or something similar), "folks that" (xxxi; should read "folks who"), "get [a] sense" (1), "on the page 2" (3), "can you get a long way" (21), "assign it [the] empty" (26), "you can also thrown in" (40), "its got" (46), "Your job is the act like" (57), "lets concentrate" (58), "get [the] length" (68), "Go ahead an open up" (90), "What you can" (129; should read "What can you"), "a object" (142), "an new object" (147), "to to" (158), "you [are] saying" (158), "users location" (166), "south" (167), "three properties" (177; should read "four properties"), "google" (186), "including [the] last two methods" (192), "give it a try it" (218), "will use" (220; should read "we'll use"), "take a 90 milliseconds" (221), "the this code" (249), "with out with" (268), "HTML =" (271; should read "HTML5 ="), and "an drawable region" (285). These are just the errata found in the first half of the book. Fortunately, they are in the narrative, and not the example code, which would have had a much more negative impact upon the reader.

This book is definitely an introductory tutorial, and by no means a reference. Not all of the new HTML5 elements are covered, nor is CSS3 provided full coverage. The repetition of concepts may aggravate experienced or impatient programmers: For people with some experience with these technologies, and for people who readily glean information from technical books upon first exposure to the given concept, the frequent repetition in this book would border on tiresome, if it weren't presented so pleasantly, oftentimes with humor. On the other hand, the Head First books are predicated on the approach of presenting information in different formats, to maximize learning. Any newbie should appreciate this volume's clear explanations, even if they are presented multiple times, but differently. Also, there is plenty of testing of one's knowledge, to reinforce what has been learned.

Head First HTML5 Programming is an entertaining yet instructive and compelling tutorial on how beginners can learn to use many of the advanced new techniques in HTML, CSS, and JavaScript.

Michael J. Ross is a freelance web developer and writer.

You can purchase Head First HTML5 Programming from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Today Mozilla announced the launch of Firefox 8.0. The headline features this time around include adding Twitter as a search bar option, tab loading tweaks, and the default disabling of addons installed by third-parties. "Sometimes you download third-party software and are surprised to discover that an add-on has also installed itself in your browser without asking permission. At Mozilla, we think you should be in control, so we are disabling add-ons installed by third parties without your permission and letting you pick the ones you want to keep." Here are the release notes and download links.