Slashdot Mirror

Today Mozilla announced the launch of Firefox 8.0. The headline features this time around include adding Twitter as a search bar option, tab loading tweaks, and the default disabling of addons installed by third-parties. "Sometimes you download third-party software and are surprised to discover that an add-on has also installed itself in your browser without asking permission. At Mozilla, we think you should be in control, so we are disabling add-ons installed by third parties without your permission and letting you pick the ones you want to keep." Here are the release notes and download links.

Last week, you asked questions of "father of the Internet" Vint Cerf; read on below for Cerf's thoughts on the present and future of IPv6, standards and nomenclature, the origin of his beard, and more. Thanks, Vint! What can we do to get ISPs to switch on IPv6?
by jandrese

One of the biggest hurdles to IPv6 adoption today is that the average home user simply cannot get an IPv6 address from their ISP. Tunnels are hacker toys, and completely impractical/impossible for people who are using their ISP's "home router". What do you think we can do to convince ISPs to start rolling out IPv6 [i]before[/i] there is a crisis? Everybody agrees that the transition will go smoother if we take it slow and easy, but nobody is willing to make the first step, and IPv4 addresses aren't still being inexorably depleted the world over.

VC: I have been asking myself (and others) this question for some years now! When you try to explain that they can't really expand the Internet effectively relying solely on cascading NAT boxes they kind of glaze over. Sadly, now that we really are in the IPv4 end-game, there is not much choice but to deploy NATs to try to make dual-stack work as a transition plan. If ISPs had started implementing IPv6 5 years ago we would not have this problem. I think only pressure from consumers, businesses and governments to demand IPv6 implementation will help. Even then, I can imagine the bean counters insisting that there be incremental revenue for implementing IPv6 despite the simple fact that the only serious path to supporting smart devices (including smart grid, mobiles with IP addresses, etc) is through implementation of IPv6. We are also going to have to find some incentives for users to upgrade their home routers to handle both IPv4 and IPv6. Maybe a trade-in policy???

IPV6, and a related question
by gr8_phk

With IPv6 we could all have fixed IP addresses (or blocks of them) at home. Is this likely to happen? What do you see as the pros and cons from the ISP point of view for doing this? I think the reasons I want it are the reasons they don't, but I'd like to know how someone with your perspective sees it.

VC: We could actually have a fairly large group of IPv6 addresses at each termination point. An advantage is that one could then run servers but some ISPs might find that problematic because of the potential uplink traffic. I ended up paying for "business" class service to assure fixed IP addresses for that reason. I did not have servers of video or imagery in mind, but, rather, controllers and sensors (and ability to print remotely, for instance).

Hardware accelerated IPv6
by vlm

Hardware accelerated ipv4 routing/switching was out there, I dunno, at least a decade ago, or more. Your expectations on the rollout of hardware accelerated ipv6 switching?

VC: It probably won't happen until there is clear evidence of an IPv6 tipping point. Of course, it makes every bit of good sense and the IPv6 format is better geared to hardware assist than IPv4.

Why the colon in IPv6?
by jandrese

The biggest thing I hate about IPv6 is that the standard format uses colon as the digit separator. On most keyboards, that is a fairly awkward character to type, especially in rapid fire between groups of hex digits. Also, it causes problems for the many many programs that specify ports after IP addresses with a colon (like URIs!). IPv4's use of the period instead is much nicer. If you didn't want to reuse the period (so programs can distinguish between the two types of addresses more easily), why not use dash instead? It's just as visually appealing and doesn't require you to hit shift to type it. It would have saved a whole lot of ugly brackets around IP addresses.

Any aesthetic qualities of the colon are lost when you have to do this:
http:/// [http] [1005:3321:5a52:4fca::1]:8080/
instead of: http://1005-3321-5a52-4fca--1:8080/ [1005-3321-5a52-4fca--1]

And that second example was noticeably quicker for me to type.

Edit: And of course because this is Slashdot it made a huge mess of the first URL and forced me to mess it up slightly to be readable!

VC: The colon was needed to allow for compressed display of IPv6 addresses and to avoid confusion with a dotted representation of IPv4. It was apparently the only character thought to be unencumbered for this purpose at the time. Other slashdot readers may have additional comments on this.

Hindsight is 20/20
by eldavojohn

If there was one thing you could go back and change about TCP/IP -- something that is far too entrenched to change now -- what would it be?

VC: Well, I wish I had realized we'd need more than 32 bits of address space! At the time, I thought this was still an experiment and that, if successful, we would develop a production version. I guess IPv6 is the production version! I would also have included a lot of strong authentication mechanisms but at the time we were standardizing TCP/IP (version 4), there was no practical public key crypto capability ready in hand.

.here TLD?
by TheLink

Do you think there should be a .here TLD, reserved officially for local use in an analogous way to the way that the RFC1918 IP addresses are reserved officially for private use?

Currently many are coming up with their own ad hoc TLDs for local use. In my opinion this is suboptimal. Having a standard official TLD would allow more interesting things to "organically grow" on it.

(See also: http://tools.ietf.org/html/draft-yeoh-tldhere-01)

VC: Hard to say, honestly. I am not sure just what ".here" might actually mean unless intended to be self-referential (in other words, the server is the same as the referring party - kind of like 127.0.0.1? In that case, it need only be a reserved term rather than something you register in.

Ooh! Settle An Argument For Me!
by Greyfox

Though my deep and thoughtful meditation on IP addressing, I have realized that an IP address is simply a number. We canonically break it up into 4 smaller numbers that are presumably easier to remember. However if you stack all the bits of those smaller numbers together, you get a bigger number, and that number is actually the address. Moreover, every C standard library that I have ever tried is able to resolve this bigger number to the correct address. If I ping a 10 digit number in that address range, the C standard library will figure it out. It is my position that this is a feature and not a bug.

It seems that the OS X Firefox Guys don't agree with me. Admittedly they do have an RFC on the subject, but their browser breaks a known behavior that every other TCP/IP client program on the planet exhibits, including other operating system versions of Firefox!

Would you kindly bludgeon one of us into submission? I don't really care which side of the argument you come down on, but one of us has to be able to say "Because Vint Cerf said so!"

Oh, and while I've got you, I'm sick of writing stateless http applications. May I have your permission to go back to writing plain old socket servers on other ports, providing data based on whatever query format I feel like implementing? It kind of looks like REST, I suppose, except that I don't have to load 14 layers of frameworks to get to that point.

VC: LOL! actually, most of us assumed that any way to generate the 32 number should be acceptable since the connection process doesn't actually use the text representation of the IP address. I think any value in the range 0 to 2^32-1 should be acceptable as an IP reference. As to stateless operation, I know what you mean; you have to get used to figuring out how to stash intermediate state (cookies usually)...

SMTP, DNS, U.S. Customs
by molo

It seems that it is getting more and more difficult to successfully run your own SMTP server. See, for example, this post responding to the idea that a user was going to move off gmail to their own server. Are there any prospects for meaningful SMTP reform that would lower the barrier to entry for legitimate emailers?

DNS has been often criticized as a centralized single point of failure / censorship. Have you been following the development of namecoin and P2P DNS? Are these systems viable in your estimation? How would you improve them or encourage their adoption?

The U.S. Customs department recently created headlines in seizing domains. These seizures appear to be extra-legal (not founded in law), but ICANN has gone along with them. Are those fair statements? Should ICANN's trustworthiness be suspect as a result of this process?

VC: On SMTP, the problem is spam. If SMTP relays could be authenticated in some way, perhaps running your own would work better. As of now, it is a problem to validate relays and most ISPs don't allow it. Maybe we will make some progress in this when we can strongly authenticate/validate end points in the network better. Regarding alternatives to DNS, it would be interesting to find alternatives to DNS that might be less prone to the business models that produce domaining, for example, but I have not yet seen evidence that such an outcome is likely to gain traction. I am not sure that ICANN has any ability to resist effectively the so-called seizures of domain names by the DHS/ICE. I am disturbed by the argument that this is comparable to FBI "seizures" of contraband for many reasons but I think the ability to resist this would rest on a successful court challenge to the practice, not to an ICANN policy.

Smart Grid
by kiwimate

You're currently on the Governing Board of the NIST Smart Grid Interoperability Panel. What is the state of standards development, and how big an impact does it have to move national infrastructure communications into the public IP arena so far as our ability to strengthen and expand our infrastructure? Conversely, how big are the threats in this new world?

VC: The process is moving along reasonably well although adoption of the standards that are emerging in the US will depend on endorsement by FERC and NERC. I think the standards can be very beneficial to the creation of interoperable energy management systems, edge devices, and device controllers. I am pleased that IPv6 forms a major basis for edge communication but concerned that the domestic ISPs, with some notable exceptions, have been slow to roll out support for IPv6. I imagine that an IPv6-equipped mobile could easily become a remote controller for a wide range of IPv6-labelled devices.

What would you like to see developed next?
by techmuse

I'm curious what technologies you would like to see developed next, or what you think would be most important to develop next. In other words, what do you think researchers should work on now that would be most significant? (Oh, and thank you for changing my life!)

V: My major wish right now, apart from ISP implementation of IPv6, DNSSEC and more end/end crypto and strong, 2-factor authentication, is the implementation of true broadcast IP. Satellites raining IP(v6) packets to Earth in range of millions of receivers could make widespread digital distribution of information far more efficient.

Interplanetary Internet
by immakiku TCP/IP started as a military project but has been adapted for all the Internet applications we see today. What sort of applications do you foresee/imagine for the Interplanetary Internet, aside from the stated purpose of coordinating NASA devices?

VC: The primary terrestrial applications are military tactical communications and enhanced mobile communications. I see a role for these delay and disruption tolerant protocols in public safety networking as well. All devices in the system could also serve as relays to allow for the dynamic creation of Mobile Ad hoc Networks, making more resilient emergency services communications and any number of popular user apps on mobiles.
The IP of TCP/IP
BY WHOM

The head of UN's WIPO believes that the Internet (and obviously the stack on which it runs) should have been patented. How do you believe it would have evolved, would TCP/IP be protected by patents?

VC: This is really pretty silly. Bob Kahn and I consciously did NOT patent or control distribution of the design and protocol specifications for TCP/IP for the simple reason that we wanted no intellectual property barriers to the adoption of TCP/IP as an international standard. I see absolutely no utility in the proposition to patent TCP/IP. It would have given a reason for SNA, DECNET and other proprietary protocols to persist since their inventors/purveyors could have argued that licensing TCP/IP (had it been patented) would be of no interest to them - indeed, its use opened up interoperability among many brands of computers (and networks) leading to more competition.

Has the Internet become too centralized?
by slashsloth

That is to say, do you think that too much power & control now lies in the hands of the Internet Service Providers, thereby making it, at least in terms of control if not routing, too centralized & too easily manipulated by the powerful few. I guess this question stems from a viewpoint that it should be somehow democratic & free (as in free speech). Also do you share my pedantic belief that the public Internet should be spelt with a capital 'I'?

VC: As to the latter, yes, I strongly believe that the capital was intended to refer to the public Internet (I have written on this in the past). We accepted the notion that "internet" could use the protocols but be private and disconnected from the public Internet but that "Internet" referred to the latter. Some people disagree but I still believe it to be a useful distinction. As to centralization, it is possible that the lack of competition among Internet access providers is a bad outcome. I have always been a proponent of intra-modal competition through open access to underlying transport networks but not everyone agrees with me.

How can we bring trust back to the internet?
by Madman

One of the secrets of the internet's massive success is the lack of controls over it; if there had been strict security and processes in place it would likely not have come about. One of the downsides is that all our security measures are tacked-on, there is no built-in security to the protocols used on the internet and as a result security is a massive problem. How do we go from the wild west to having at least a reasonable level of trusted computing?

VC: Better and stronger authentication would help. 2-factor "passwords" and registration of devices. We may also need to adopt international norms for acceptable usage of the net with some kind of enforceable rules with reciprocity. Until we have some collective and cross-border ability to bring miscreants to justice, we will continue to see relatively unconstrained behaviors including harmful ones.

No more "peace and love" in software designs
by BeforeCoffee

I take it that the "route around failures" and other original design features of TCP/IP and the Internet as a whole relied upon trusting others always having good intentions and cooperating. Those designs were necessary at the time and the reason the internet exists today.

Nowadays distrust, firewalls, and coding defensively is the norm (or it should be). In that light, the internet's design seems creaky and vulnerable.

Do you have any thoughts or feelings on how software has changed and seemingly become so treacherous since you first designed TCP/IP? Would you advocate a ground-up redesign of internet transports and protocols starting with TCP/IP?

VC: I have always been a fan of trying clean-sheet designs. Sometimes you discover retrofits that don't require a re-design. In other cases (such as delay and disruption tolerance) you need serious re-implementation of new designs. It is clear that authentication, various forms of cryptographic protections and the like are needed at several layers in the architecture. Deploying something wholly new is hard, though.

Future of the Internet
by H0bb3z

Do you feel the security concerns over collected information will trump the leveraging of information in future Internet technologies? Will there be a separate "opt-in" or "opt-out" web to cater to each preference?

Context: There have been many controversies recently regarding the collection of data and the privacy of individual information. As we move forward, I've heard a mixed set of messages regarding the direction we should expect to see.

Consumerism is indeed driving innovation and everything is going mobile these days (there's an app for that I think). One example I heard recently of the benefit of the convergence of information and mobility: a consumer can point their mobile phone at a shelf of groceries, get an active "overlay" of information regarding the products and determine which best suits the customer needs. On the flip side, sensors that track customer behavior are installed at the grocery shelf and based on detected behavior (like stopping for a moment to reminisce about Coco-Puffs even though you know they are bad for you) initiates a coupon for whatever the vendor may feel would provide enough motivation to purchase their product -- in the example a $1 off coupon to the mobile phone of a shopper.

Will this become reality in the future?

I think there are benefits to be had, but also am fiercely protective of my personal information and preferences.

VC: At least in America, we have tended to readily give up privacy in exchange for convenience. Credit card information bases being a good example of that. If one can divorce identity from behavior patterns, it might be acceptable to many to benefit from system reactions to our choices and behavior if these are not correlated with identity.

Postel and Crocker
by vlm

So you went to high school with Postel and Crocker, according to Wikipedia; did you guys hang out all along or meet up decades later?

V: Crocker and I have been best friends since about 1959. Jon was in a later class and we didn't know him until we all reconvened at UCLA in the late 1960s.

A Simple Pogonological Question
by eldavojohn

What level of success does TCP/IP owe to your glorious beard?

VC: LOL!! not much! I just got tired of nicks and cuts from shaving my whole face and went with the beard!! I did shave it off once, but quickly re-grew it after being painfully reminded why I had grown it in the first place!!!

angry tapir writes "Mozilla has issued a do not track field guide to encourage advertisers and publishers to implement do-not-track (DNT) functionality. The guide contains tutorials, case studies and sample code to illustrate how companies use the DNT technology. Mozilla aims to inspire developers, publishers and advertisers to adopt DNT and wants to put the control over Internet tracking into the hands of users. The browser maker wants to put a stop to behavioral targeting and pervasive tracking on the Web. The guide can be found here (PDF)."

First time accepted submitter Mensa Babe writes "Oliver Morgan, the original author of the JavaScript Toolkit, or just 'The Toolkit' as it is known in the JavaScript community, has just announced the release of the long awaited version 1.1.0, with better documentation and added function support. Quoting the project documentation: '[JavaScript] Toolkit offers a large number of integrated methods and utilities to help enrich the javascript object library. Javascript was built originally for browsers and as such lacks a large number of data utility methods with are seen in languages such as Python and Ruby. However times have changed and JavaScript is being used more and more in backend platforms. JS Toolkit aims to bridge that gap and provide everyone a modern developer needs to produce fast, secure and tidy code quick and easily.' The Toolkit fully supports ECMAScript 5 and runs on the most important virtual machines that we have today, including Node.JS, V8, Rhino, RingoJS, and many others. It continues to be actively developed."

arglebargle_xiv writes "Following on from Comodogate, we have another public CA issuing genuine false certificates to Iran, this time for Google. There's speculation that it's a MITM by the Iranian government, but given the existing record of CAs ready to sell certs to anyone whose check clears, it could just be another Comodogate." Another (anonymous) reader says, "What might be worrying is that the CA behind the forgery is the official supplier of most Dutch Government certificates, diginotar.nl. They are supposed to be very stringent in their application process. As a Dutchman, I'm very interested to see how this one plays out." Adds Trailrunner7: "The attack appears to have been targeting Gmail users specifically. Some users trying to reach the Gmail servers over HTTPS found that their traffic was being rerouted through servers that shouldn't have been part of the equation. On Monday afternoon, security researcher Moxie Marlinspike checked the signatures on the certificate for the suspicious server, which had been posted to Pastebin and elsewhere on the Web, and found that the certificate was in fact valid. The attack is especially problematic because the certificate is a wildcard cert, meaning it is valid for any of Google's domains that use SSL."

An anonymous reader writes "A blog post published by Mozilla community contributor Tyler Downer claims the Mozilla Triage QA process is broken, and he believes that the rapid release implementation does not work with their current method of handling bugs. Quoting: 'I understand that change takes time, and there is always a delay between planning a change, and the implementation. But with Triage, time is our enemy. We currently have 2,598 UNCO bugs in Firefox that haven’t been touched in 150 days. That is almost 2600 bugs that have not been touched since Firefox 4 was released. ... In Spring 2010, we hit roughly 13,000 UNCO bugs in the Firefox product on BMO. 13,000!!! We currently have 5,934. While this is an improvement, that is 6,000 bugs in Firefox that could be shipping today, and enhancements that could be making the web better (of course it isn’t that high, but the potential is there). This is several thousand contributors that we have told "Thank you for filing a bug report with us. We don’t really care about it, and we are going to let it sit for 6 months and just ask you to retest when you know it isn’t fixed, but thank you anyway."'" Update: 08/29 19:46 GMT by S : Downer has made another blog post clarifying the bug issue. Updated title and summary to reflect that he was a volunteer, not a Mozilla employee.

An anonymous reader writes "Mozilla has an idea for how it can bridge the gap between native apps and web applications: WebAPI will be developed as a set of HTML5 APIs and deliver consistent, web-based application interfaces that can be accessed by any HTML5-capable device, specifically smartphones."

MrSeb writes "A great collective gasp issued from tuned-in Firefox fans when Mozilla announced that it was switching to a Chrome-like release schedule for its browser. Now Mozilla wants to take things one step further and remove Firefox version numbers entirely — from the user-facing parts of the browser, anyway." You can see the Bugzilla entry for this change, and keep up on Mozilla's reasoning and discussion through a thread on the mozilla.dev.usability newsgroup. Mozilla's Asa Dotzler explained, "We're moving to a more Web-like convention where it's simply not important what version you're using as long as it's the latest version. ... The most important thing is confidence that they're on the latest release. That's what the About dialog will give them."

BogenDorpher writes "Mozilla is currently on schedule to release Firefox 6 on August 16th but it looks like the final version has already been signed off and is unofficially available on Mozilla's servers."

CWmike writes "Mozilla is on track to release Firefox 6 next week, according to notes posted on the company's website. 'On track with a few bugs still remaining. No concerns for Tuesday,' the notes stated. Firefox 6 includes several noticeable changes, including highlighting domain names in the address bar — both Chrome and Microsoft's Internet Explorer 9 do something similar by boldfacing domain names — and reducing startup time when users rely on Panorama, the browser's multi-tab organizer. Meanwhile, Mozilla said this week that starting with Firefox 8, Mozilla will automatically block browser add-ons until users approve them, which should put an end to sneaky installs."

An anonymous reader writes "Mozilla could be heading into an open confrontation with its rivals Google, Apple and Microsoft as browsers evolve into platforms. Mozilla's director of Firefox engineering John Nightingale gave some insight on the past, present, and future of Mozilla and outlined why Firefox still matters. While Mozilla is accused of copying features from other browsers, the company says the opposite is the case. Nightingale says that a future Firefox will give a user much more control over what he does on the Internet and that Mozilla plans on competing with the ideal of an open web against siloed environments." Chrome may have a nice interface and be a bit faster than Firefox's rendering engine, but if Firefox failed as a project I'd miss its Emacs-like extensibility (something all other browsers lack).

An anonymous reader writes "Mozilla could be heading into an open confrontation with its rivals Google, Apple and Microsoft as browsers evolve into platforms. Mozilla's director of Firefox engineering John Nightingale gave some insight on the past, present, and future of Mozilla and outlined why Firefox still matters. While Mozilla is accused of copying features from other browsers, the company says the opposite is the case. Nightingale says that a future Firefox will give a user much more control over what he does on the Internet and that Mozilla plans on competing with the ideal of an open web against siloed environments." Chrome may have a nice interface and be a bit faster than Firefox's rendering engine, but if Firefox failed as a project I'd miss its Emacs-like extensibility (something all other browsers lack).

An anonymous reader writes "Mozilla could be heading into an open confrontation with its rivals Google, Apple and Microsoft as browsers evolve into platforms. Mozilla's director of Firefox engineering John Nightingale gave some insight on the past, present, and future of Mozilla and outlined why Firefox still matters. While Mozilla is accused of copying features from other browsers, the company says the opposite is the case. Nightingale says that a future Firefox will give a user much more control over what he does on the Internet and that Mozilla plans on competing with the ideal of an open web against siloed environments." Chrome may have a nice interface and be a bit faster than Firefox's rendering engine, but if Firefox failed as a project I'd miss its Emacs-like extensibility (something all other browsers lack).

Lennie sends this quote from an announcement at the Mozilla blog: "Recently there has been a lot of discussion about enterprises and rapid releases. Online life is evolving faster than ever and it's imperative that Mozilla deliver improvements to the Web and to Firefox more quickly to reflect this. This has created challenges for IT departments that have to deliver lots of mission-critical applications through Firefox. Mozilla is fundamentally about people and we care about our users wherever they are. To this end, we are re-establishing a Mozilla Enterprise User Working Group as a place for enterprise developers, IT staff and Firefox developers to discuss the challenges, ideas and best practices for deploying Firefox in the enterprise."

An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."

An anonymous reader writes "Coinciding with the recent release of Mozilla Thunderbird 5 and its 400 performance and stability fixes, Canonical has decided that it's now fit for adoption in Ubuntu — and as of version 11.10, Thunderbird will replace Evolution as the default mail program. You can download the second alpha of Ubuntu 11.10 today and give Thunderbird a whirl."

supersloshy writes "Mozilla has released the latest version of Thunderbird, their popular email client, now in sync with their new rapid-release versioning system. Among the new features are the new add-ons manager from Firefox 4, revised account creation, faster response times, the ability to load plugins in RSS feeds and over 390 platform fixes. For more information, read the release notes"

scdeimos writes "Mozilla has announced the release of Thunderbird 5.0b1, the first in their new rapid release cycles. According to the Thunderbird Beta FAQ, Thunderbird 4 was skipped, as the program's version is now tied to the underlying Gecko engine."

kripkenstein writes "Ever since Id Software released the Doom source code under the GPL, it's been ported to platform after platform. Now, you can play Doom compiled to JavaScript on the web, using standard web technologies like Canvas and without any plugins. If your browser has trouble running it, here's a screencast." The translation was accomplished using Emscripten, a Javascript backend for LLVM. As per the GPL, full source code is available. Pretty neat.

icebraining writes with a link to Ars Technica's look at the recent rejection of WebP by Mozilla Developer Joe Drew."Building mainstream support for a new media format is challenging, especially when the advantages are ambiguous. WebM was attractive to some browser vendors because its royalty-free license arguably solved a real-world problem. According to critics, the advantages of WebP are illusory and don't offer sufficient advantages over JPEG to justify adoption of the new format. (...) 'As the WebP image format exists currently, I won't accept a patch for it. If and when that changes, I'll happily re-evaluate my decision!' wrote Mozilla developer Joe Drew in a Bugzilla comment.'" However, as the article explains, Google sees enough value in WebP to add it as a supported image format for Picasa.

An anonymous reader writes "IonMonkey is the name of Mozilla's new JavaScript JIT compiler, which aims to enable many new optimizations in the SpiderMonkey JavaScript engine. InfoQ had a small Q&A with Lead Developer David Anderson, about this new development that could bring significant improvements in products that use the SpiderMonkey engine like Firefox, Thunderbird, Adobe Acrobat, MongoDB and more. This new JIT infrastructure, will feature SSA compiler intermediate representations which will facilitate advanced optimizations such as type specialization, function inlining, linear-scan register allocation, dead-code elimination, and loop-invariant code motion."

CWmike writes "Mozilla and Opera are mocking browser rival Microsoft's use of the term 'native HTML5' to describe Internet Explorer 9 and the in-development IE10 as an oxymoron, an attempt to hijack an open standard and a marketing ploy. On Tuesday, Microsoft's Dean Hachamovitch, the executive who runs the IE group, used the term several times during a keynote at MIX, the company's annual Web developers conference, and in an accompanying post on the IE blog. Hachamovitch claimed in his keynote that, 'The only native experience of the Web of HTML5 today is on Windows 7 with IE9.' Asa Dotzler, Mozilla's director of community development, replied mockingly in Bugzilla: 'I'm pretty sure Firefox 5 has "complete native HTML5" support. We should resolve this as fixed and be sure to let the world know we beat Microsoft to shipping *complete* native HTML5.'"

blair1q writes "Mozilla.org has added a new intermediate development state, Aurora, to its Firefox development chain. Coming between Nightly-Build and Beta, it adds a fourth sense to the meaning of 'the current version of Firefox' (the Release version fills out the trope). And now they have populated the Aurora channel with what will eventually become Firefox 5. The intent is to reduce release-version cycle times by allowing more live testing of new features before the integrated code gets into a Beta version. The inaugural Aurora drop includes 'performance, security and stability improvements.' Firefox 5 is scheduled to enter Beta on May 17, and Release on June 21. Downloads of all of the active channels are available from the Firefox channels webpage."

A great number of readers have written in to tell us that Mozilla has officially announced the final, official, Firefox 4.0. Congrats to all the developers who have code in the build. If you want some neat eye candy, you can watch a sweet visualization showing where the downloaders are.

An anonymous reader writes "Similarly to Google with Chrome Experiments and Microsoft with Internet Explorer Test Drive, Mozilla has developed an HTML5 demo site to showcase the latest features supported by Firefox 4. Mozilla's Paul Roget writes, 'Firefox 4 is almost here, and comes with a huge list of awesome features for web developers. In order to illustrate all these new technical features, we put together several Web demos. You'll see a couple of demos released every week until the final version of Firefox 4. You can see the first 3 demos online now on our brand new demo web site: Web O' Wonder. Unlike certain other HTML5 demo sites, Mozilla's site works in any browser that supports the features used in the demo."

An anonymous reader writes "Similarly to Google with Chrome Experiments and Microsoft with Internet Explorer Test Drive, Mozilla has developed an HTML5 demo site to showcase the latest features supported by Firefox 4. Mozilla's Paul Roget writes, 'Firefox 4 is almost here, and comes with a huge list of awesome features for web developers. In order to illustrate all these new technical features, we put together several Web demos. You'll see a couple of demos released every week until the final version of Firefox 4. You can see the first 3 demos online now on our brand new demo web site: Web O' Wonder. Unlike certain other HTML5 demo sites, Mozilla's site works in any browser that supports the features used in the demo."

An anonymous reader writes "Similarly to Google with Chrome Experiments and Microsoft with Internet Explorer Test Drive, Mozilla has developed an HTML5 demo site to showcase the latest features supported by Firefox 4. Mozilla's Paul Roget writes, 'Firefox 4 is almost here, and comes with a huge list of awesome features for web developers. In order to illustrate all these new technical features, we put together several Web demos. You'll see a couple of demos released every week until the final version of Firefox 4. You can see the first 3 demos online now on our brand new demo web site: Web O' Wonder. Unlike certain other HTML5 demo sites, Mozilla's site works in any browser that supports the features used in the demo."

An anonymous reader writes "Mozilla is planning to release four new versions of its open source browser by the end of this year. That means Firefox 4, Firefox 5, Firefox 6, and Firefox 7 are all slated to ship in 2011. Mozilla was originally planning on having Firefox 4 out by the end of last year, but it had to delay the release. The last release was Beta 10 but there are still probably two more betas, at least one release candidate, and of course a final build. It's clear the company no longer thinks this model is a good one, and wants to accelerate its release cycle, much like Google did with Chrome." More detailed information on the accelerated development cycle and the major features intended for each new version are available on Mozilla's Firefox 2011 Roadmap.

An anonymous reader writes "Mozilla cranked out a new version of Firefox 4 (Beta 11-pre) that includes the proposed do-not-track feature. Both the nightly builds and latest trunk builds integrate the do-not-track feature. You could accuse Mozilla of wasting time with Firefox 4 beta-testing, but this feature certainly has surfaced fast."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

surveyork writes "Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs won't be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed."

An anonymous reader writes "Forbes reports that The Internet Society announced this week the availability of the Identity Management Policy Audit System, a suite of tools designed to give Internet users a clearer understanding of the online usage policies of the websites they visit. Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology, the system consists of a free, open-source Firefox plug-in that checks a library of scraped terms of service and privacy policies from several popular websites. If a site changes the fine print of one of its policies, the plug-in notifies the user when they visit the website next. According to Forbes, 'that functionality would help users spot controversial switcheroos in sites' legalese, such as Facebook's change last year that suddenly gave the site the right to use your photos and other content.'"

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

Nunavut writes in with a note from TechCrunch on Aza Raskin's latest Mozilla goodie, Tab Candy. "Be sure to watch the video for a full overview — from the looks of it, it seems as if Tab Candy is sort of like Apple's Expose feature mixed with their Spaces feature, both of which are baked into OS X. For those who don't use a Mac, basically these features allow you to zoom out and get a bird's-eye-view of all your windows (or tabs, in this case) that are open — and you can also arrange open windows (or again, tabs, in this case) in certain spaces so they're clumped together. This allows you to more easily find what you're looking for with so many tabs open." Here's Raskin's blog post, the download link, and the FAQ.

Nunavut writes in with a note from TechCrunch on Aza Raskin's latest Mozilla goodie, Tab Candy. "Be sure to watch the video for a full overview — from the looks of it, it seems as if Tab Candy is sort of like Apple's Expose feature mixed with their Spaces feature, both of which are baked into OS X. For those who don't use a Mac, basically these features allow you to zoom out and get a bird's-eye-view of all your windows (or tabs, in this case) that are open — and you can also arrange open windows (or again, tabs, in this case) in certain spaces so they're clumped together. This allows you to more easily find what you're looking for with so many tabs open." Here's Raskin's blog post, the download link, and the FAQ.

An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."

balster neb writes "Mozilla has released the first Beta of Firefox 4, the next major version of the popular web browser. Apart from the new 'Chromified' tabs-on-top UI, there are many major improvements in performance and HTML5 support. This release also adds support for the new WebM video format. Other changes include faster DOM and CSS performance, improved UI responsiveness, hardware 2D acceleration, experimental WebGL support, and better JavaScript performance (though this beta does not include the new JaegerMonkey JIT engine). More details on the Mozilla blog."

eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

rtfa-troll writes "Beef Taco is a Firefox extension that allows a mass opt-out from tracking and targeted advertising by many ad networks. The Register reports that the original system, TACO, has become proprietary, and has added new 'features' best described as bloatware. I guess this should serve as a warning for users to always prefer software under a copyleft license where possible. If Google had chosen a license with better protection, such as the GPL, when it released its own opt-out tool, this problem would have been much less likely. This also shows why forks are so important when software development begins to get messy."

An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."

Barence writes "Mozilla has announced plans to redraft the open-source license underpinning projects such as Firefox. The Mozilla Public License 1.1 has been used to distribute numerous projects including Firefox, Thunderbird, OpenSolaris and Flex for over a decade. In the first phase of this process, Mozilla will release an alpha draft based on feedback already received. This will be followed by 'commentary, discussion, and further drafting, followed by beta and release candidate drafts.' Mozilla intends to 'seriously investigate' whether it can make the MPL compatible with the Apache license, in an effort to 'help projects using the MPL become more flexible about using Apache-licensed code.'"

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

Shining Celebi writes "Mozilla has released Firefox 3.6 today, which adds support for Personas, lightweight themes that can be installed without restarting the browser, and adds further performance improvements to the new Tracemonkey Javascript engine. One of the major goals of the release was to improve startup time and general UI responsiveness, especially the Awesomebar. You can read the full set of release notes here."

CWmike writes "Mozilla has shipped a release candidate build of Firefox 3.6 that, barring problems, will become the final, finished version of the upgrade. Firefox 3.6 RC1, which followed a run of betas that started in early November, features nearly 100 bug fixes from the fifth beta that Mozilla issued Dec. 17. The fixes resolved numerous crash bugs, including one that brought down the browser when it was steered to Yahoo's front page. Another fix removed a small amount of code owned by Microsoft from Firefox. The code was pointed out by a Mozilla contributor, and after digging, another developer found the original Microsoft license agreement. 'Amusingly enough, it's actually really permissive. Really the only part that's problematic is the agreement to "include the copyright notice ... on your product label and as a part of the sign-on message for your software product,"' wrote Kyle Huey on Mozilla's Bugzilla. Even so, others working on the bug said the code needed to be replaced with Mozilla's own."