Firefox 2.0 Update To Remove Phishing Detection

An anonymous reader writes "Computerworld and others are reporting that Firefox 2.0.0.19, the last security update to be released before 2.0 goes end-of-life, will remove the phishing detection at the request of Google. The browser is using an older version of the Safe Browsing protocol that Google will discontinue. According to the latest NetApplications report, about 25% of all Firefox users were still on version 2.0. This move ought to result in an increased adoption of Firefox 3.0 and other browsers, unless it goes unnoticed by most users."

Phishing detection?

Isn't that the equivalent of training wheels on a bicycle?

Re:Phishing detection?

[digitig]

No. To be a valid analogy on /. it has to have a car in it. A bicycle just isn't good enough.

Re:Phishing detection?

[Haeleth]

Okay, then, the equivalent of automatic transmission.

Re:Phishing detection?

It's probably a locality dependent cultural mistake. It says 'anonymous coward' But that's only because this is an english language site. In reality we're most likely dealing with a 'anonieme lafaard' and where he's from bike analogies are the norm.

A security update that reduces security

[mysidia]

Hrm.. I don't think that's the intended use of security updates that causes users to be willing to accept and enable such updates.

In a way, it's a breach of trust if they were intentionally holding back on upgrading to 3.0. Users would be in slightly better shape if they refused to accept this update (at least until Google finally does turn it off).

I anticipate not necessarily a massive increase in users updating to Firefox 3.0, but more likely a massive increase in phishing targetting 2.0 users who still think they're protected (they didn't pay attention to the update release notes).

Re:A security update that reduces security

[dafrazzman]

Even a minor increase in 3.0 adoption would be worth it, as the phishing detection won't matter once google turns it off. I think Mozilla is doing well by making one last effort to move people towards Firefox 3.

At least the version 2 users are being given some warning, as opposed to just being left out to dry without any heads up at all.

Re:A security update that reduces security

[i.of.the.storm]

I honestly don't think many people actually even know about the phishing protection, and I assume the update would inform users that it was removed.

Re:A security update that reduces security

[theaveng]

I disagree. I already tried Firefox 3 and it ran very poorly, so that's why I went back to Firefox 2.

IMHO rahter than disable the feature, thereby making users vulnerable to scams, the correct solution is to upgrade the anti-phishing to v2. Toturn it off completely is somewhat akin to a AntiVirus 2.0.0.19 program deciding to turn-off its scanner, to force users to move to AntiVirus 3. The ends do NOT justify leaving users vulnerable to attack.

Re:A security update that reduces security

Are they doing anything actively to migrate people, or is it all just "behind the scenes" stuff like this? I was over at my parent's for Thanksgiving and my Mom wanted me to look at her Firefox to see if she could load the 2.0.0.18 update that Firefox kept asking her to install. She had held off from it because of vague warnings about "firewall's may block Firefox after install" in the release notes.

That was a great way to confuse things - it should have mentioned Outbound firewalls specifically. BTW, I was horrified to find her still on the 2.0 series and just updated her to the latest 3.x build. I spent some time trying to explain the firewall message in the release notes was about the outbound blocking used by hobbyists, enthusiasts, and yes - paranoids to make sure that only apps they approve can talk on the net. I think that fell on deaf ears though.

All my babble aside - I don't believe Mozilla made any effort at all to get my Mom onto the 3.x series. She hadn't heard of it, and certainly the auto-update feature was not offering it. Perhaps it should.

Re:A security update that reduces security

[gparent]

It's going to End of Life. They won't upgrade an obsolete product. Either they turn it off in the next update and get some people to upgrade, or they leave it on giving a false sense of security since it won't even work.

Re:A security update that reduces security

[theaveng]

P.S.

I'm currently at 2.0.0.12 and 2.0.0.18 will be final update. I'm not going to xxxx.19 if thry're going to disable my protection. Froget that.

Re:A security update that reduces security

[Tubal-Cain]

Uhhh... Google's turning off the servers.
Your FF 2.0.18 won't have any phishing protection, either.

Re:A security update that reduces security

[bencoder]

I don't think you understand.. (very simply,) the protection comes from a list that gets downloaded from google... google are discontinuing this in favour of a more modern format, so your "protection" is(will be) useless anyway. Updating your v2.x will just remove the feature from the browser itself, hopefully pushing more people to upgrade to the 3.x release, because now they will no longer have the perceived protection that in fact no longer works.

Re:A security update that reduces security

[apathy+maybe]

Is "phishing detection" security? Or does it just provide a false sense of security?

To quote myself (from <http://slashdot.org/comments.pl?sid=1030947&cid=25776933>, strong added):

Because blacklists don't work. Want to not get phished? Simple instructions that even the most computerphobic person can understand:

When you want to go to the website of your bank, credit union etc., type in what you see on the printed material you have in front of you! (Alternatively, for the more computer literate folks, create a bookmark/favourite after having typed in the address from the printed material from your bank. And only access it via that link.)

Never trust a link via an email, never trust a link from another website, not even if the address looks the same. (Character encoding, bad eyes and other things can make two strings look the same, even when they aren't.)

Basically, "phishing detection" is a flawed approach to the problem, and the best solution (as with most computer security issues), is user education. Considering that banks already have a "captive" audience (the audience has to read the material provided by the bank before being able to connect), they have a great opportunity to provide education to users.

They could even have a short quiz before they allowed their customers to get online access to their accounts. Perhaps questions like:

• Will your bank ever email you regarding problems with your account? (No.)
• Should you ever give your online password to anyone? (No.)
• How should you access the banks website? (Answer given above.)

And subsequently ask one of these questions each login ...
Of course, if the bank thinks that the answers above should be different, maybe it's time to move to a different bank.

Combined with a security token, this should cut down on most phishing.

(And actually, no bank I have ever used has known my email, I just refuse to give it to them (No I don't have an email address.).)

Re:A security update that reduces security

[mR.bRiGhTsId3]

I guess the question is, if people are so against upgrading to 3.0 (which I find worlds better btw), how long will it take someone to write an extension for 2.0 that supports the new format.

Re:A security update that reduces security

there won't be a surge in late FF3 adopters... but a surge in abandonment... FF3 is unusable on some systems... I won't adopt it personally..

forced to be posting as an "anonymous coward" 'cause SD can't finalize my account...

Re:A security update that reduces security

[hairyfeet]

The problem is we are talking about a piece of dead code here. Mozilla has decided that the Firefox 2 code base is EOL, and frankly I don't blame them. The memory leaks in the code just never seemed to get fixed and the memory management in FF3 is simply light years better. And Google has already made it clear they are pulling the plug on the v1.0 Phishing filter, which would cause folks to think they had protection that they didn't actually have.

You mention MSFT, but lets be honest here. Most folks didn't have a living shit fit when they EOLed the Win9X line after giving it an extension to give folks time to switch. Why? Because those of us that knew anything about Operating Systems knew that trying to keep that mess of a codebase patched and functional was like pissing in the wind. At least with FF2 you HAVE a choice.

If you believe there are enough users out there that for one reason or another need FF2 you can set up a website and try to build a community around the FF2 code. Since the code is Open Source anyone who feels strongly about it can build a community of like minded individuals and keep it going. Just look at how Seamonkey continues to improve and update after what? 2 years of being cut loose by Mozilla? The Mozilla Corp doesn't support Seamonkey yet I have it on all my machines and it updates nearly as quickly as FF. So if you truly feel that it can be updated to Google Antiphishing v2.0 you should try to build a community around it. That is one of the great things about FOSS. We always have a choice.

Re:A security update that reduces security

[plnix0]

Except that browser "phishing detection" does NOT actually increase security. The form of phishing detection used by firefox, which involves telling a third-party site what websites you are visiting, is detrimental to security. Removing such "features" is quite appropriate to a security update.

Re:A security update that reduces security

[Mozk]

I disable phishing protection as it's just a waste of bandwidth for me. Generally I have custom Stylish styles for the websites I visit to fix layouts and do other things, so when I see that those aren't enabled, well, it's probably a phishing website.

Re:A security update that reduces security

[daeg]

If you're talking about on Linux, 3.1 is fixing some of the fsync issues that made it slow on some boxes.

Re:A security update that reduces security

[daeg]

Firefox 3 does not tell Google which sites you are visiting. It downloads a local version of the blacklist and queries it locally.

Re:A security update that reduces security

[LordSnooty]

somewhat akin to a AntiVirus 2.0.0.19 program deciding to turn-off its scanner,

It's not really, is it - the scanner is the crucial part of the AV program, the phishing filter is just one small feature of Firefox. Also the replacement product is free. Nobody would complain if a free AV package forced you to upgrade. In fact they (Clam, AVG) do it on a regular basis. Really not "somewhat akin" at all.

Re:A security update that reduces security

[Hadlock]

I still don't see why they're pushing people so hard to upgrade to 3.0. The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time. Does the firefox corperation get more money from google every time you download the latest version or something? I would argue that FF 2.0 is not and obsolete product - it does everything I need perfectly, and I would consider myself a power user. The mozilla corp. has been pushing people to upgrade now pretty hard for about six months and I really don't see the need to upgrade.
 
I prefer v.2 to v.3 so much that I still use v.2 at work, although I will boot into v.3 at work to check and see how it renders our website at work differently from 2.0 (we have bad code and in most cases there's a significant difference). v.2 has everything I need and a smaller memory footprint - why would I upgrade?

Re:A security update that reduces security

[TheRealMindChild]

I still don't see why they're pushing people so hard to upgrade to 3.0.

Because they are going to stop working on that version. I hate to point out the obvious, but this isn't really a complicated question.

Re:A security update that reduces security

[mysidia]

It's going to End of Life. They won't upgrade an obsolete product. Either they turn it off in the next update and get some people to upgrade, or they leave it on giving a false sense of security since it won't even work.

The right solution is to have a modular design, so when they update the anti-phishing module for FF3, FF2 automatically gets the same update with zero-effort.

The anti-phishing module version should be updatable independent of the browser version.

Re:A security update that reduces security

[mysidia]

It provides an additional layer of protection, which actually does provide a minor security enhancement.

Provided users do not change their behavior or act more carelessly, because they believe "phishing protection" will save them.

Re:A security update that reduces security

[Ramze]

I think the idea is that since they aren't going to offer any more updates to the software, anyone using FF 2.0 is going to be vulnerable to future browser exploits and rendering issues which will not ever be patched (unless someone forks the code), so from a user-safety perspective and a public relations perspective, Mozilla needs to strongly persuade people to move away from the old version.

The reasons to upgrade are the same as for any software. Sooner or later, FF3 or higher will have features that FF2 does not have and that you will need or wish you had. Whether that's patches, plug-ins, or new features, I can't say... but it is coming. Maybe a new version of HTML or a new scripting language... maybe a plugin that only works with 3.0 or higher for web pages you need access to -- who knows.

As for why they choose to turn the anti-phishing off rather than move to the next version, I think it's fair to say that turning off something is easier than re-coding it to work with something new. Also, why code it to work with the new Google version when you're discontinuing support? At some point, Google's API will change and FF 2 users will be left without a working anti-phishing engine again -- only without any warning because Mozilla will have moved on to FF 4 or beyond by then.

You are, of course, welcome to continue to use FF 2 if you enjoy the product, but it is not Mozilla's responsibility to continue to support it once they've moved on to a newer version.

You are correct that Mozilla could wait until Google discontinues its service to turn off the feature, but that is only prolonging the inevitable. They likely want the upgrade in place before Google shuts down its service so that users have advanced warning. If I were Mozilla, I'd even put up a splash screen upon installing the update to warn people that the anti-phishing no longer works and to upgrade to FF 3 if they wish to continue using the feature.

I'm not exactly sure what you're arguing. It sounds as if you're upset that Mozilla is "pushing" people to FF3 by discontinuing a feature in FF2, but really it's Google that's changing and Mozilla is reacting to that change by turning off the feature in advance in an effort to control the situation. It's not as if Mozilla turned off FF2's ability to use tabs or plugins or other features to intentionally cripple FF2.

Honestly, your post sounds a bit like a rant that eventually you'll have to move to something other than FF2 and you're upset that the reasons to move have only just begun to pile up. I can understand that you like the software and believe it is still worth supporting and/or forking to continue updating, but apparently Mozilla isn't going to be the one to do that for you.

Re:A security update that reduces security

[aussie_a]

What happens when Google upgrades the anti-phishing to v3? Should the programmers then upgrade Firefox 2? What about when the anti-phishing is upgraded again? and again? and again?

If you want to use Firefox 2 with the latest anti-phishing software from Google, why not leverage the open source community to do just that?

After all, isn't that suppose to be the benefit from people developing OSS? Anyone can do whatever they want?

Or maybe real life hasn't actually lived up to the big promise that is OSS?

Re:A security update that reduces security

[aussie_a]

The version 3.0 still seems slower and more buggy than the version of 2.0

Well it might SEEM slower and more buggy, but objective tests I've done (as I wanted to know which was better) indicate this isn't true.

Re:A security update that reduces security

[gparent]

I still don't see why they're pushing people so hard to upgrade to 3.0.

Because they won't work on 2.0 anymore. It will not be supported and will no longer receive security updates. How hard is that to understand?

The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time.

Except it's faster. Java Script improvements, less memory leaks, a garbage collector of sorts, etc. FF 3.0 requires less resources.

I would argue that FF 2.0 is not and obsolete product

By definition, it is. It will reach End of Life.

Re:A security update that reduces security

[martin-boundary]

"End of Life" doesn't mean the same thing with GPL software as with commercial software. Many people and organisations have the source code, and have modified it to suit their needs. It's not up to Mozilla or Google to tell people to upgrade to version 3, and it's not up to Mozilla to tell people that upgrading the phishing protection is not worth it. In a couple of years, when Mozilla will be gone and buried, we'll still be using the source code.

Re:A security update that reduces security

[theaveng]

Even if it is going to "end of life", I still don't see why they need to disable the security protection. If Microsoft did that with XP, in order to try to get people to move to Vista, people would scream bloody murder.

But because this is Firefox, for some reason it's okay where if MS did it, people would call foul. Double standard.

Re:A security update that reduces security

[calmofthestorm]

Not been my experience. It uses a fraction of the memory and runs a lot faster. Was a bitch losing some addons I really liked though.

Re:A security update that reduces security

Since Firefox is open source so anyone might just come alone and create a fork of Firefox 2 that supports Google's new Phishing APIs. Or better yet, someone writes an extension for it.

Re:A security update that reduces security

[plnix0]

1. That still tells google (and anyone watching the network) that you are using firefox and have that feature enabled.

2. Firefox actually does tell Google when you visit a site that is on the local list. The stated reason for this is to make sure that the site is still on the list -- that it hasn't been removed.

Re:A security update that reduces security

[plnix0]

It doesn't provide any protection that's not in the URL anyway, so no, it doesn't provide any protection. It is somewhat useful to know that a site is associated with phishing attacks, but it's easy to figure that out anyway based on the URL not being what it claims to be.

But arguably yes, there is a minor enhancement in visibility, with a trade-off of decreased privacy (i.e. security).

Re:A security update that reduces security

[Kalriath]

You mention MSFT, but lets be honest here. Most folks didn't have a living shit fit when they EOLed the Win9X line after giving it an extension to give folks time to switch

That may be true, but everyone had a living shit fit when Microsoft EOLed the WinXP line. Why? Just because they don't like Vista.

The same argument applies to Firefox.

Re:A security update that reduces security

[dasmoo]

I still don't see why they're pushing people so hard to upgrade to Vista.

Because they won't work on XP anymore. It will not be supported and will no longer receive security updates. How hard is that to understand?

Vista still seems slower and more buggy than the version of XP I have been using for some time.

Except it's faster. kernel improvements, less memory leaks, a security implementation of sorts, etc. Vista requires less resources.

I would argue that XP is not an obsolete product

By definition, it is. It will reach End of Life.

Re:A security update that reduces security

[ozmanjusri]

If Microsoft did that with XP, in order to try to get people to move to Vista, people would scream bloody murder.

But because this is Firefox, for some reason it's okay where if MS did it, people would call foul.

Did you even glance at the article summary?

Mozilla is removing the protection because very soon the anti-phishing service provided by Google will no longer be available.

Double standard.

Idiot.

Re:A security update that reduces security

[gparent]

They're not exactly preventing you from upgrading the phishing module. They're just dropping support for their own existing version of the code.

Re:A security update that reduces security

[gparent]

I know it doesn't happen often on Slashdot, but your answer can be found by R'ing TFA.

Re:A security update that reduces security

Same here. I agree.

Re:A security update that reduces security

[moronoxyd]

Well, objective Tests I've done suggest that FF3 is indeed more buggy.
FF2 NEVER crashed on me.
FF3 crashes every once in a while.

Re:A security update that reduces security

[sumdumass]

Well, yea..

And it's a good thing that FireFox is free because if it wasn't, this tactic of forcing an upgrade would be far worse then anything MS has done in the past. I simply don't understand how people are more then willing to accept this behavior from their pet projects but would otherwise moan and complain forever is MS or Novel did something like this. Imagine if MS turned security features off in XP to encourage Vista adoption, would you be just as thrilled? I mean, FF can send an error saying that Google's service doesn't work with their version any more. But disabling it to encourage upgrades is just evil.

Re:A security update that reduces security

[sumdumass]

Whats with these false choices. It isn't an either or situation. If they can turn it off, they can cause it to provide an informative error saying it isn't working because Google upgraded something and provide a link to the details. It isn't like they are limited to exactly two options arbitrarily dictated by some choice master 3000 program or something.

There are ways to not turn it off and not leave the customer with a false sense of security. There is either a hidden reason they are attempting to for the 3.0 adoption. Otherwise they would not be pretending that there are only two options. That alone should scare people. I know they would be outrages if MS of Apple attempted to force an upgrade by making an older product less secure.

Re:A security update that reduces security

[riceboy50]

Think of it as removing a broken feature and you'll realize it is a bug fix not a security update.

Re:A security update that reduces security

[SnowZero]

You've just shifted the problem to the anti-phishing module API. If that API ever needs to change, then things are broken just the same as with the anti-fishing service API. In both cases this simply boils down to: If you create the perfect API that never needs to be changed, you are set. The problem is that nobody is perfect, and getting an imperfect thing working well enough is often better than delaying things a lot longer to create a "perfect" design.

Re:A security update that reduces security

[ultranova]

Even a minor increase in 3.0 adoption would be worth it, as the phishing detection won't matter once google turns it off. I think Mozilla is doing well by making one last effort to move people towards Firefox 3.

How about fixing the bugs in Firefox 3 instead ? I'm not going to move to FF3 until this is fixed. Attempts to force the issue will, at most, result in me moving into another browser entirely.

Really, if you are having such problems moving your users to a new version, maybe it might be a sign that the new version sucks.

Re:A security update that reduces security

[Haeleth]

Yes, all this is true. (Except for the bit about Vista requiring less resources, but nobody has ever claimed that. XP also required more resources than Windows 98.)

Most XP users would be better off upgrading to a better OS such as Vista, OS X, or Ubuntu.

So, um, what was your point exactly?

Re:A security update that reduces security

[RiotingPacifist]

Vista requires less resources.

LOL

Re:A security update that reduces security

I've been using Firefox 3 since Beta 2, hasn't crashed once. Come to think of it, I've been using Firefox since before it was called Firefox, and I don't think I've ever had it crash.

Re:A security update that reduces security

Tactic of forcing an upgrade? What now?

Imagine if MS turned security features off in XP to encourage Vista adoption, would you be just as thrilled?

Assuming I was a Windows user, I would not be thrilled. However, this is something completely different. If they were to leave support for phishing detection in Firefox 2, it would no longer work once Google shuts it off. They could leave it in so that Firefox 2 users would feel secure when they really aren't, they could waste time and effort upgrading it to SafeBrowsing 2.1 which would be better spent working on Firefox 3, or they could just get rid of it.

I simply don't understand how people are more then willing to accept this behavior from their pet projects but would otherwise moan and complain forever is MS or Novel did something like this.

If you don't like what Mozilla is doing, simply ask for a refund.

Re:A security update that reduces security

[theaveng]

Even if it is going to "end of life", I still don't see why they need to disable the security protection. If Microsoft did that with XP, in order to try to get people to move to Vista, people would scream bloody murder.

But because this is Firefox, for some reason it's okay where if MS did it, people would call foul. Double standard.

Re:A security update that reduces security

[theaveng]

>>>Mozilla needs to strongly persuade people to move away from the old version.

And they do this by leaving Firefox 2 users "vulnerable to browser exploits" by disabling the security. Bassbackwards.

Re:A security update that reduces security

[theaveng]

>>> Idiot.

Immature. Leave the insults in the playground.

Re:A security update that reduces security

[theaveng]

Probably not for another year; I'll upgrade then. In the meantime I'll have the security with 2.0.0.18 that 2.0.0.19 does not provide.

Re:A security update that reduces security

[totally+bogus+dude]

Possibly it is a double-standard, but they haven't done any significant development on 2.x for quite a while, only security updates. Updating the Safe Browsing protocol may be considered "significant development" (I have no idea how much work would actually be involved) and therefore isn't really an option.

Since Google is going to be disabling their service which makes the phishing detector thing work at all, stopping the browser from trying to access it is a reasonable measure. It perhaps depends on the manner in which they disable it; if someone wants to make and use their own SBP 1.0 server with Firefox 2 they should be able to, so removing the code altogether would be bad, but disabling the option and hiding the UI option to enable it would be okay.

Your analogy should have compared the idea of Microsoft disabling a soon-to-be-unusable feature of IE6 to get people to move to IE7. A lot of people (especially here) would argue that's a good thing, as IE7 is more standards compliant and more secure than IE6.

Re:A security update that reduces security

[gullevek]

Because google will phase out the version they use now. As they do not do any active development on the 2.x tree, they will not upgrade it to the current version google uses.

Re:A security update that reduces security

[gullevek]

Firefox 3 crashes for me from time to time, 2 did the same, one too. They all use excessive amount of memory.

the only reason I use three is because i features the latest javascript and render engine. As for the rest there is no real change ...

Re:A security update that reduces security

Assuming I was a Windows user, I would not be thrilled. However, this is something completely different. If they were to leave support for phishing detection in Firefox 2, it would no longer work once Google shuts it off. They could leave it in so that Firefox 2 users would feel secure when they really aren't, they could waste time and effort upgrading it to SafeBrowsing 2.1 which would be better spent working on Firefox 3, or they could just get rid of it.

Or they could simply display an error message when Google finally shuts it off instructing the user to upgrade or turn the feature off and surf unprotected. I mean that is the simplist and you don't have to worry about people who are using it now finding out after it is too late that it was shut off and made less secure by a security update.

If you don't like what Mozilla is doing, simply ask for a refund.

Or I could point out the hypocrisy involved with it and hopefully change their minds. Or is this some bizarre universe where we can only do things certain people ordain worthy? I mean I already pointed to one of the choices that you overlooked with the disabling of working security protocols in a product that touts itself to be more secure. I hope it isn't you acting the decider of what actions are worthy.

And some of this hypocrisy is that FF had a meeting with MS, they then decided not to continue support for older windows versions at a time when everyone was outraged at Novel making a deal with MS. I guess the problem there was that the details became public. Now Mozilla is actually going to use a security fix that by all common understanding should make you more secure, so they can make your browser less secure and hope you upgrade to 3.0 for whatever reasons. That's really nice now. I suppose in a few weeks we will find some other detail about Mozilla making a deal that can extend motivations back to this. What gets me is that everyone give it a pass and doesn't care but when others do it, we are supposed to be outraged. I'll tell you what mr AC, when MS or Novel do something you don't like, I'll tell you to shut up and ask for a refund too.

Re:A security update that reduces security

[Tim+C]

And in a few years XP will reach its end of life and Microsoft will no longer support it.

What exactly is your point?

Re:A security update that reduces security

[theaveng]

At least Windows 98 still has its security enabled.

Microsoft didn't come along and disable the protection, which is what Mozilla is doing. MS left the security in place to protect Win98 users (like me and my old AMD-K6 laptop), whereas Mozilla is deliberately leaving people vulnerable to attack by turning OFF the security. That's just wrong.

Re:A security update that reduces security

[jesser]

Did Windows 98 have any security features that involved constantly grabbing data from Microsoft servers? Because that's what we're talking about here.

(Windows 98 stopped getting security patches in 2006, just like Firefox 2 is about to stop getting security patches.)

Re:A security update that reduces security

[icebraining]

Maybe the OSS promise requires users to actually do something instead of complaining on how Mozilla has the obligation of providing an upgrade for an old program.

OSS promise never was "you will get whatever software you want for free" but "you are free to modify whatever software you want to suit your needs".

Re:A security update that reduces security

[theaveng]

My Windows 98 does indeed still grab data from Microsoft servers. The data returned is typically "no updates", but the server is still there. Microsoft did not disable Win98's security and leave it vulnerable to attack. MS left the security intact.

Mozilla on the other hand, did (or soon will) disable Firefox's security in 2.0.0.19. In my opinion, that's a really bad idea.

Re:A security update that reduces security

[GXTi]

Because they won't work on XP anymore. It will not be supported and will no longer receive security updates.

XP receives lots of security updates. I notice every time it installs one without my permission, then interrupts my game of TF2 and forces me to reboot at gunpoint.

Re:A security update that reduces security

[bcattwoo]

The "double standard" comes from the fact that upgrading to Vista costs $100+ while upgrading Firefox costs only a couple minutes to download and install.

Re:A security update that reduces security

[TheVelvetFlamebait]

I anticipate not necessarily a massive increase in users updating to Firefox 3.0, but more likely a massive increase in phishing targetting 2.0 users who still think they're protected (they didn't pay attention to the update release notes).

That's OK, they can just check this link:

http://www.mozi11a-europe.org/en/products/firefox/2.0.0.19/releasenotes/

Re:A security update that reduces security

[Reapman]

The company is choosing to no longer support an outdated product. I'm quite confident if I put McAfee 1.0 in I wouldn't be able to get it to work, is that McAfee's fault? Why should the Moz team spend resources fixing an oudated, end of life product?

frankly if you want it fixed, grab the source and fork it. It's not up to the developer to go back and fix a product because another company (Google from what I understand) decided to stop supporting an outdated method. If ANYTHING this says something about relying on a 3rd party for a feature set.

Re:A security update that reduces security

[Ilgaz]

The answer would be running another browser (e.g. Opera, Safari, Konqueror) rather than running a very popular and yet insecure "abandoned" browser. There is already malware coded by blackhats for Firefox. Now imagine the lamers find a flaw in FF 2 which they know it won't be fixed. It is a very serious threat. 25% of users is very big deal. Way more big deal than entire Safari marketshare which Apple keeps fixing imaginary/ not exploited bugs.

I always wonder why not Seamonkey but... Anyway... People are so bugged about a mail client in browser it seems. Especially for corporate, Seamonkey is a great solution. It is in fact the real Mozilla you know. It just needs some more popularity.

Re:A security update that reduces security

[Ilgaz]

If I was on Windows/Linux and a FF 2 user, I would switch to another browser rather than being forced to upgrade.

They always forget the human factor. It is the human factor which gained them such popularity since at this point, whatever IE team does, it will be likely ignored by people who are _psychologically_ biased against them. Wasn't the forced updates that made people hate more from IE? Isn't it "update your IE or you will be haxored" threat makes people hatefully run windows update every freaking Tuesday?

Just don't make people "hate" you. It takes years and years to fix such a "bug" if even possible.

Re:A security update that reduces security

[jesser]

Firefox 2's software update feature will remain intact. Like Windows 98, it will usually get an answer of "no updates", perhaps with a "perhaps you'd like to update to Firefox 3?" message every 3 months or so. The only thing that's been turned off is updates to the phishing blacklist, and a stale blacklist isn't useful.

Re:A security update that reduces security

The auto-update *does* try to offer 3.x unfortunately. I say this because 3.x is a step backwards in usability vs. 2.x. If they hadn't broken the UI, I'd move to 3, but as it stands, I'll be using 2.x for the foreseeable future.

Re:A security update that reduces security

[jonadab]

> At least the version 2 users are being given some warning, as
> opposed to just being left out to dry without any heads up at all.

For a lot of us, Firefox 3 isn't really an option, because it's not available for our operating system. This is true for me on one platform (Debian stable) and for my mom on another (Windows 98, which I will eventually have to pry from her cold dead fingers I think).

Besides, Firefox 2 isn't that bad. Okay, sure, certain actions consume more CPU time than they should (e.g., opening a new tab, or turning page colors on or off). But on the whole the difference between Firefox 2 and Firefox 3 is mostly quite minor stuff, especially if you aren't absurdly excited about the location bar changes.

I think the Mozilla folks should chill out just a little and learn to *accept* the idea that some people might continue using the old version for a while.

Re:A security update that reduces security

[jonadab]

Heck, it was only a couple of weeks ago that I got the last of our PACs at work upgraded *to* version 2. These systems are on a private subnet and only have access through the firewall to a very short list of websites (three, IIRC), so upgrading them was low priority, and I just now finally got the last of them upgraded from sarge and Firefox 1 to etch and Firefox 2. Incidentally, upgrading them to Firefox 3 is not an option yet, for two reasons: first, an important extension they require has not been updated for Firefox 3 yet, and second, Firefox 2 isn't available for Debian yet (unless you run unstable or testing, which would be inappropriate for these systems).

Re:A security update that reduces security

[mysidia]

There are 4 types of people that actually bother to read release notes:

• Developers
• IT Admins
• Computer/browser enthusiasts
• Very curious people who want to read the long list of what's new

Most of the population doesn't fit into these categories.

The only way they'll know about it is if Firefox introduces a prominent nag screen into the update process that alerts them.

Re:A security update that reduces security

[jonadab]

> Because they won't work on 2.0 anymore. It will not be supported and
> will no longer receive security updates. How hard is that to understand?

It's not difficult to understand.

It's also not relevant. I'm pretty sure the license terms it's released under allow us to continue using the software on our computers until *we* decide we don't want it anymore. Those of us who choose to still use it are mostly *aware* of the fact that it's not the latest version and is not officially supported any more, but for one reason or another we choose to still use it anyway. We're allowed to do that, and if the Mozilla folks don't like it they can go jump in a lake.

It is worth noting here that Firefox 3.0 is not available for the latest stable version of my operating system, and I'm certainly not going to run unstable versions of every library and application on my whole computer just to accommodate one application whose developers have their knickers in a twist. And it's not like Debian is an obscure platform, especially in the open-source community. I shall continue to run Firefox 2.0 until version 3 becomes available for the *stable* version of Debian, and if the Mozilla folks don't like it they can go soak their collective head.

My mom's in a similar situation with her OS of choice, and although Windows 98 is no longer supported by the distributor (Microsoft in that case), the upgrade would cost money *and* require newer hardware, which just isn't in the budget, so, again, she's going to run Firefox 2.0 for another couple of years probably, and if the Mozilla folks don't like it they can go play in traffic.

However, with all that said, the turning off of the anti-phishing thingydoo doesn't really bother me much, especially if it's Google that's discontinuing the service the old software uses. It's more the continual "stop using version 2.0" harping they do on every forum on the whole internet that bothers me. Go fly a kite. We know the old version isn't supported anymore, and we don't care, so give it up and leave us alone already.

Re:A security update that reduces security

[TheVelvetFlamebait]

Ah, you obviously don't get it. Look at the link again ;)

Re:A security update that reduces security

[gparent]

> Because they won't work on 2.0 anymore. It will not be supported and > will no longer receive security updates. How hard is that to understand? It's not difficult to understand. It's also not relevant.

It is relevant. It's the very reason they're not upgrading 2.0 to the new anti-phishing module. If they were, we wouldn't even be discussing this.

Re:A security update that reduces security

It's a breach of trust to tell me I can't upgrade to 3.0 because they are bias against my OS. The only way I could upgrade to 3.0 would be to make my own compatible distribution of it.

Re:A security update that reduces security

[sumdumass]

Or they could simply display an error message when Google finally shuts it off instructing the user to upgrade or turn the feature off and surf unprotected. I mean that is the simplist and you don't have to worry about people who are using it now finding out after it is too late that it was shut off and made less secure by a security update.

Gee, that makes sense.

Re:A security update that reduces security

If Microsoft did that with XP, in order to try to get people to move to Vista, people would scream bloody murder.

Uh, huh.

But because this is Firefox, for some reason it's okay where if MS did it, people would call foul. Double standard.

Yeah, sure.

And of course, it's not like one upgrade path costs a bunch of money while the other is free, is it?

You, sir, are a fucking idiot.

Re:A security update that reduces security

Or, maybe you are a moron who forgot to read even the short text up there, that said "the phishing protection in Firefox 2.0 is based on a Google product - and Google will turn that product off in a little time".

So even leaving the phishing protection in will not do anything once Google turns off the lights.

Removing it though will at least make this more visible.

Re:A security update that reduces security

You're kidding right? Security patches maybe, but Seamonkey still does not have a release using Gecko 1.9 yet (how long ago was Firefox 3 released?). I don't count alphas as releases either.

Odds are that if they haven't upgraded by now

I doubt phishing protection will be what gets them to do it.

Why would anyone use FF2?

[Miladinoski]

I mean, it's ridiculous: if you like Firefox you should upgrade to the 3rd version and if in any case your OS is older and it doesn't support Firefox 3 I see no reason not to use Opera which supports every OS from Win 95 to Vista and from OS X 10.0 to 10.5 (unlike Firefox 3 of course).

I see no need of using a browser whose support will end soon and with many people not using the latest version people who have popular websites (like Slashdot for an example) can just make the updates in their web pages slower because they'll see that FF2 is still used much and not add the so much wanted features (or they will work very slow in older browsers) because not a lot of people will use them. Yeah, they can say Upgrade to [insert a newer browser name here] but that won't make a lot of people update because they are lazy.

Re:Why would anyone use FF2?

[mysidia]

You just gave a reason for Firefox 2 users not to upgrade to Firefox 3.

The reason not to switch from Firefox 2 to Opera instead (for older systems) is the same reason for Windows '98 users to not switch from MSIE to Firefox.

They are more familiar with their chosen browser, and there is an inherent resistance to switching.

It's ashame the last major, tried and true, stable release of Firefox is EOL'ed so rapidly, in favor of the bleeding-edge FF 3.

What would you think of Microsoft if they had discontinued further security updates for Windows XP in 2007, one year after the release of Vista?

Re:Why would anyone use FF2?

[shentino]

Not to mention that Opera aced the Acid3 test.

IMHO, that's high praise indeed for a browser.

Re:Why would anyone use FF2?

[Miladinoski]

Yes, you have a point there, I can't say you are wrong, but I don't get why wouldn't you give up for something that is newer and works on your older machine (and is supported too) than use what you are used to, but get significantly slower browsing.

I certainly would give up from something that I am used to, to something that works better.

Re:Why would anyone use FF2?

[i.of.the.storm]

Not sure what's so bleeding-edge about FF 3, it's a lot more stable and faster than Firefox 2 was. I think your word choice is a bit disingenuous and designed to make FF 3 look bad. And the situation is a bit different since upgrading from XP to Vista costs money, whereas unless you're on Windows 98 upgrading from Firefox 2 to 3 doesn't cost a thing.

Re:Why would anyone use FF2?

[Richard_at_work]

I mean, it's ridiculous: if you like Firefox you should upgrade to the 3rd version and if in any case your OS is older and it doesn't support Firefox 3 I see no reason not to use Opera which supports every OS from Win 95 to Vista and from OS X 10.0 to 10.5 (unlike Firefox 3 of course).

And what if you are still on FF version 2 because you don't like some of the 'features' introduced in FF version 3? I'm looking at you, 'Awesome Bar'.

Re:Why would anyone use FF2?

[bencoder]

And what if you are still on FF version 2 because you don't like some of the 'features' introduced in FF version 3? I'm looking at you, 'Awesome Bar'.

There was a lot of resistance to the awesome bar, and I thought it was a stupid idea at first, but honestly, give it a week and you'll get used to it and wish it was there when you're forced to use other browsers.

Re:Why would anyone use FF2?

[mR.bRiGhTsId3]

If you're using a windows version that firefox doesn't support then getting phished because the filters got turned off is the least of your worries (what with the multiple rootkits and keyloggers that are already on your machine)

Re:Why would anyone use FF2?

[Richard_at_work]

I've given it since it was introduced - I still hate it. Do I need to give it any longer?

Explain to me why the 'Awesome Bar' decides that, when I start typing the domain name of a website I visit daily, it thinks I would prefer the url of a site I visited once several months ago? Daily or several months ago. What makes more sense?

Re:Why would anyone use FF2?

[daeg]

Firefox 3.1 is introducing some preferences where you can, IIRC, disable sources of information AwesomeBar queries. I think you could tune it to remove those results. There are addons as well that pre-prioritize the results to be more like Firefox 2.

Re:Why would anyone use FF2?

[mysidia]

The reason I consider it bleeding edge, is a bunch of plugins don't work at all with FF3. It's a relatively new, unproven release, in the grand scheme of things.

Probably the single most important reason I don't want to use FF3 though is it's stupid handling of sites with self-signed certificates. The circuitous steps required to "add an exception", make you think you're about to give some russian hacker full control of your computer.

Try explaining to a user how to view their sites which suddenly don't work in FF3, because of this. If someone complains about the site not working and describes that message, I tell them to downgrade to FF2, which actually lets you still access the site (with just a simple dialog box).

FF3 keeps needing updates frequently, security bugfixes (I guess), and I kept running into crash bugs with FF3, several times a day, even the latest version of FF3, whereas FF2 and FF1 were rock solid, rarely ever crashed.

FF2's issues are pale in comparison to some of FF3's.

Re:Why would anyone use FF2?

[Richard_at_work]

None of the addons actually work to the extent where I get my behaviour back - and I do tend to wonder why I need to go to such huge lengths, and time sinks, just to get the behavior that I have become acustomed to over the past 15 years. If it were anyone but Mozilla doing this....

Re:Why would anyone use FF2?

[caitsith01]

I totally agree. After how much trying is one entitled to simply decide that one does not like a particular piece of software?

FF3 has decided that people like me, who actually like using URLs to access on-line resources (crazy, I know) would rather have some higher-level language based address system which trawls through your history and bookmarks and spews them forth into the address bar whether you want them there or not. I have tried everything to disable this "feature" without success.

It would be trivial for them to include options about this stuff, but apparently the old ways are forbidden and options are 'confusing'. That kind of attitude is what ultimately loses you users.

Re:Why would anyone use FF2?

[Toonol]

And you can always get the "oldbar" addin, to fix the "Awesomebar". It's one of the addins I always install, along with flashblock, mouse gestures, etc.

I don't have a problem with Mozilla including the awesomebar in Mozilla 3.0; I dislike how they stripped out the functionality to revert to the simpler, more rational original toolbar. 3.0 betas had configuration options to switch.

Re:Why would anyone use FF2?

[i.of.the.storm]

I agree that the self signed certs are stupid, but I've had a much more stable experience with Firefox 3 than 2, and I ran the nightlies for several months. I'm running 3.1 nightlies right now too and almost all of my extensions still work. I don't see how Firefox 3 is getting security updates any more frequently than Firefox 2; most of the time they have simultaneous updates for 2 and 3. And it's not that new anymore either... I would probably blame crashes on bad extensions or plugins.

Re:Why would anyone use FF2?

[MoFoQ]

Well, one reason why is that computers using Win9x can't run FF3 so you're stuck with FF2 (especially in cases where upgrading the OS is not feasible either economically or for other reasons).

Re:Why would anyone use FF2?

If you have been using Firefox 2, then you *haven't* been giving Firefox 3 a chance "since it was introduced"; you only gave it a chance until you switched back. It's obvious that you're too stubborn to use the awesome bar regularly because it learns which sites you like to type into it, and it only takes *one* try. If you type a single letter in the bar, then select the site you want from the list, the very next time it will appear at the top of the list. In the worst case, you have to type the whole url *once*, then the second time only three or four letters, and after that it should only take one. And here's a hidden feature for you: if one of the bar's suggestions offends you for some reason, you can banish it by pressing shift-delete (this also works for form autocompletion).

I miss the Aweseome Bar's learning when I use Chrome. GMail's URL does not start with G, but Firefox learned that when I typed G I wanted GMail. In Chrome I have to remember to type "M" for GMail, becuase no matter how many times I type "GMail", then scroll down and select https://mail.google.com/mail/, it won't remember.

Re:Why would anyone use FF2?

[Richard_at_work]

Ahh, someone who knows me inside out - glad you could be of service, but nothing you said has been of any help to me.

Firstly, who said I wasn't using FF3? I certainly never did in this (or any other) thread - you simply surmised that from things I did say, and your assumption has proven to be wrong. I use FF3 daily, because it has better memory usage than FF2 - but the Awesome Bar still sucks, even after six months of usage and 'training' as it certainly doesn't seem to learn my browsing habits.

Take, for instance, the example I gave in another thread - I start typing the domain of a site I use daily and the 'Awesome Bar' decides that what I actually want is a site I visited once, several months ago. How many times should I train the 'Awesome Bar' in that situation?

I want my old url bar back. You have said nothing which has changed my opinion of the current system.

Fine, some people may find it better than the old alternative - so why not make it an option they could use? Even make it the default, just allow it to be disabled. Or am I worth less as a customer to Mozilla for some reason?

Re:Why would anyone use FF2?

https://addons.mozilla.org/en-US/firefox/addon/6227

You didn't try too hard, did you?

Personally, though, I love the new bar.

Re:Why would anyone use FF2?

[erroneus]

I'd be fine with going to Firefox 3.x under Windows98 if there were support for it. I cannot get FF3.x to install under Win98... says it needs Windows 2000 or newer. So if I want to run my Win98 VM, it can't have FF3.0... annoying.

Re:Why would anyone use FF2?

[ratboy666]

Faster? Has the fsync issue been resolved yet?

Firefox 2 works fine for me, and I really see no reason to upgrade (I did have a compelling reason to move to OpenOffice.org3, though). FF2 works for me, and it is a "known quantity". FF3 isn't, and hasn't provided a single compelling reason to upgrade (yet). I upgraded from oo2 to oo3 to take advantage of: limited pdf import, read support for latest microsoft office(tm), better presentation controls (these three are very useful, and where compelling).

ff2 to ff3? I don't care about the speed of javascript, I don't have memory problems, or rendering problems. Java works ok, and I am used to the UI. I don't really care about "anti-phishing", and I find ff2's treatment of self-signed certificates annoying enough.

Is there something I am missing?

Re:Why would anyone use FF2?

[ion.simon.c]

The reason I consider it bleeding edge, is a bunch of plugins don't work at all with FF3.
It's a relatively new, unproven release, in the grand scheme of things.

Mmm.
In the grand scheme of things, VMS and masonry are new and unproven things, too.

If someone complains about the site not working and describes that message, I tell them to downgrade to FF2, which actually lets you still access the site (with just a simple dialog box).

*points* *laughs*
Moron. I hope that you don't work a helpdesk or IT somewhere.

FF3 keeps needing updates frequently, security bugfixes (I guess), and I kept running into crash bugs with FF3, several times a day, even the latest version of FF3, whereas FF2 and FF1 were rock solid, rarely ever crashed.

System specs? Installed plugins?

Re:Why would anyone use FF2?

[Richard_at_work]

From that page -

oldbar only affects the presentation of the results.

You didn't look too hard, did you? Oldbar doesn't change what we want changed - the algorithm behind the url bar function. I wish people would stop offering it as the ultimate solution to the 'Awesome Bar', because it isn't.

Re:Why would anyone use FF2?

[ion.simon.c]

They are more familiar with their chosen browser, and there is an inherent resistance to switching.

Kind of like the US and the Metric System?

Or like the dumb blonde and her abusive boyfriend?

Re:Why would anyone use FF2?

[Ramze]

FF3 has been out for 6 months... longer than that if you include the betas. I wouldn't call it "unproven." If plugins you use don't work under FF3, it's the plugin developer's fault and the plugins may be abandoned projects. I've had 4 plugins discontinue working under FF3 because they were abandoned. One works, but has some features that do not work because it hasn't been updated in years. I have 12 others that are still running just fine, though -- because their authors actually bothered to update them to work with the betas and the final FF3.

I've come across the exception thing you've mentioned maybe twice in the past 6+ months and in at least one case, it was because the site was impersonating another site... kind of a phishing thing, I guess.

Your mileage may vary, but I surf the web a lot with 50+ tabs open at any given time from pages from all over the world (USA, Japan, Russia, Germany, etc)... and I've only had FF3 crash less than a dozen times since its release (after the most recent flash and FF3 update within the past few weeks, it crashed 3 times while watching hours of streaming video from ABC and CBS, but I can't say whether that's FF3's fault or the plugins for the sites)

Firefox does update quite a lot. I like that. The updates are mostly to patch browser exploits. FF2 will no longer be getting those as it's at end-of-life.

You can continue using FF2 for as long as you like, but sooner or later, you'll need to switch to another browser for some feature you need -- whether that's FF3 or Opera or whatever is your choice. Your experience with FF3 is likely atypical... at least it's nothing like my own experience with FF3 or that of my family and friends that switched many months ago.

Re:Why would anyone use FF2?

Why bother? Your behavior is outdated.

Re:Why would anyone use FF2?

[Shikaku]

https://addons.mozilla.org/en-US/firefox/addon/7637

Old location bar.

"I can't install it!"

http://www.fileden.com/files/2007/5/14/1079307/old_location_bar-1.3-fx.xpi If you don't want to register. This is a different extension from the other extension which only changed the appearance.

Re:Why would anyone use FF2?

[caitsith01]

I'm well aware of that add on. Call me when it displays URLs only, and only suggests them based upon the same algorithm used by FF2. Until then, it just reduces the level of annoyance produced by the new address bar.

Re:Why would anyone use FF2?

[i.of.the.storm]

I think they were doing something with fsync on the 3.1 trunk but I don't know what happened with that, and I don't use Linux primarily so I don't really know. I find the "Awesome Bar" much more useful than the regular address bar, and google copied it for Chrome so it seems like they think it's a good idea too. I again don't see how 3 isn't a known quantity, it's been out for ages and the speed improvement is really nice. I don't understand why anyone wouldn't want faster javascript knowing that it's there, since stuff like Display2 is javascript heavy and AJAX is the Next Big Thing (TM). Also, bookmarking is ridiculously simple in Firefox 3 and tagging and everything is really nice, and the bookmarks are stored in an SQLLite database so it's a lot faster searching with large numbers of bookmarks. I guess if that's not how you use your browser it might not help much, but I don't think there are any significant regressions in Firefox 3, unless you count the Awesome Bar as a regression, which I think is a stupid way to think personally.

Re:Why would anyone use FF2?

[Shikaku]

https://addons.mozilla.org/en-US/firefox/addon/7637

Old location bar works with the algorithm and appearance.

http://www.fileden.com/files/2007/5/14/1079307/old_location_bar-1.3-fx.xpi

If you don't want to register to install it.

Re:Why would anyone use FF2?

[mysidia]

Moron. I hope that you don't work a helpdesk or IT somewhere.

Support issues matter, Moron; FF3's self-signed "invalid" certificate warning screens are about the most braindead thing i've seen in UI design in 15 years (since the introduction of Clippy in MS Office).

But fear not, group policy, signed binaries, and lack of write permission to "C:\program files" has prevented the truly clueless from improperly upgrading to FF3 on their own for the past 6 months, and the next 12 months will be no different, except MS IE7 may become a mandated replacement, due to Mozilla saying FF2 is EOL.

IE7 is certainly more convenient than trying to roll a custom install of FF with a custom trusted CA to sign intranet sites' certs with.

System specs? Installed plugins?

OS X 10.4.11.

99% pristine install of FF 3.0.4, the only added plugin/addon is Adobe Flash player and the Java plugin, both of which worked perfectly in FF2, and are absolutely essential for a modern browser.

A bug in FF3 being able to work with either of those plugins when FF2 works perfectly for the exact same flash and java applets, is a bug in FF3.

I have observed similar crashes of FF3 on Windows XP.

Re:Why would anyone use FF2?

If you're so 'hardcore hax0r' and use only URLs why do you even need autocomplete? Turn it off or ignore it and shut up about it.

Re:Why would anyone use FF2?

[mysidia]

FF3 has been out for 6 months... longer than that if you include the betas. I wouldn't call it "unproven."

6 months is actually not enough time for software to prove itself too thoroughly, unless you're MS, and you measure your installs in the billions.

Proven software is more like the RH Linux 2.6 kernels, which are 1 year old, and have been thoroughly QA'ed and extensively tested at several layers. FF2 is essentially proven software, because it's been out for over two years, shown to work well, and point release bugfixes have been made for most issues it ever had.

For software as important as the browser, 6 months is nothing.

MS IE7 has been out for almost 2 years, and I consider that has just left 'bleeding edge' status, very recently. There are still many things that still only work with IE6; things like the web-based admin interface on certain hardware.

IE6 is a crashing pile of dung, and IE7 happens to be more pleasant software to use, but that doesn't mean IE7 is proven software.

IE6 is proven software (proven to suck)

Re:Why would anyone use FF2?

If that's the only reason, you can always disable it. It will need some about:config-diving, though.

Re:Why would anyone use FF2?

There is a difference between Microsoft and Mozilla though. You pay for microsoft's operating system, you expect it to be updated. Firefox is free. They should appropriate their resources how they feel best.

Re:Why would anyone use FF2?

you'll get used to it and wish it was there when you're forced to use other browsers

Honestly I find IE8's "Awesome bar" (Whatever it's called) superior.

Re:Why would anyone use FF2?

[ultranova]

I don't think there are any significant regressions in Firefox 3

Here's one.

Re:Why would anyone use FF2?

[Miladinoski]

I think I answered that, because when FF2 gets obsolete in couple of months (yeah, obsolete means many sites turning it down) what will you do? Because upgrades cost money, and switching to another browser costs only the changing of the habits I'd personally choose the second one.

Re:Why would anyone use FF2?

[isorox]

I miss the Aweseome Bar's learning when I use Chrome. GMail's URL does not start with G, but Firefox learned that when I typed G I wanted GMail. In Chrome I have to remember to type "M" for GMail, becuase no matter how many times I type "GMail", then scroll down and select https://mail.google.com/mail/, it won't remember.

I use Firefox3, but I type "gmail", which takes me to gmail.com, which redirects to https://mail.google.com/ quicker than awesomebar renders.

Re:Why would anyone use FF2?

[ion.simon.c]

Support issues matter, Moron; FF3's self-signed "invalid" certificate warning screens are about the most braindead thing i've seen in UI design in 15 years (since the introduction of Clippy in MS Office).

Heh. They're not nearly as braindead as *you*.

The circuitous steps required to "add an exception", make you think you're about to give some russian hacker full control of your computer.

...

If someone complains about the site not working and describes that message, I tell them to downgrade to FF2, which actually lets you still access the site (with just a simple dialog box).

Seriously. Listen to yourself.

Pity about your crashing issues. My copy of FF3 has been running for a month straight (and counting) on my WinXP box. It also has the Flash and Java plugins installed. :)

Re:Why would anyone use FF2?

[karstux]

If you visit a site daily, why don't you use a bookmark?

Or am I worth less as a customer to Mozilla for some reason?

You're not a customer, and free to use an alternative.

Re:Why would anyone use FF2?

[Richard_at_work]

If you visit a site daily, why don't you use a bookmark?

Why should I? In any case, sometimes typing the first few letters in a domain is faster than going to bookmarks, finding the right bookmark and selecting it.

You're not a customer, and free to use an alternative.

I most certainly am a customer - Mozilla gets income from my searches.

Interesting to note that I raise a valid complaint, one that many people seem to have, and I get back 'you are free to use something else'. If thats not kicking the customer in the teeth, what isn't?

Again, I say that if it wasn't Mozilla doing this.....

Re:Why would anyone use FF2?

[mysidia]

Pity about your crashing issues. My copy of FF3 has been running for a month straight (and counting) on my WinXP box. It also has the Flash and Java plugins installed. :)

You know I still like FF3 despite the crashing issues... at least when it crashes, it's smart enough to reload tabs.

But just like there are things that many users have problems with about Vista, there are issues with FF3, that legitimately stop some users from upgrading.

The FF team should be working on fixing issues (like ridiculous UI, convoluted process to make an exception for accepting a site using a self-signed cert.)

Instead of concentrating on updates to FF2 to motivate an upgrade by taking away features.

Re:Why would anyone use FF2?

[ion.simon.c]

You know I still like FF3 despite the crashing issues... at least when it crashes, it's smart enough to reload tabs.

Session Manager plugin... since early FF2. Check it out. It's still better than core FF3.

The FF team should be working on fixing issues (like ridiculous UI, convoluted process to make an exception for accepting a site using a self-signed cert.)

Did you let them know that their UI sucks?
Have you submitted alternate UI ideas?
Working proposals and/or code or GTFO.

Instead of concentrating on updates to FF2 to motivate an upgrade by taking away features.

Seriously. Listen to yourself.

Re:Why would anyone use FF2?

[GlennC]

And will these preferences including turning the "AwesomeBar" off completely? Because that's what I want.

Re:Why would anyone use FF2?

[karstux]

The "I'm a customer, meet my demands" argument simply doesn't work for free (as in beer and freedom) open-source products. You're not paying money, you can't complain about the product, at least not with the valid expectation of your complaint being heeded. By all reasonable definitions, you're *not* a customer at all.

If you don't like the software, you can either improve it - submit patches or fork it - or use something else. Nobody's under any obligation to cater to your needs. That's not "kicking your teeth". It's probably not good for community relations either, but that's a different pair of shoes.

Re:Why would anyone use FF2?

[Richard_at_work]

Oh I'm sorry, because I'm not paying money I don't have any grounds to complain?

I think your post says it all about the attitude involved here.

Safari, here I come.

Re:Why would anyone use FF2?

[Quantumstate]

Given that firefox 3 runs faster and uses less memory. Also the system requirements appear to be identical. Aside from this the upgrade is free and requires a small download. Your web browser has virtually no dependencies unlike an operating system which has all of your software on it. Other than these minor points your analogy works really well.

Re:Why would anyone use FF2?

You can always implement new protocol yourself and submit as a patch to Mozilla. I think that they will gladly accept this patch.

Or you can make a donation to Mozilla for this purpose.

Or you can hire someone to implement this.

Re:Why would anyone use FF2?

[Acaeris]

If I need to list the sites by url, I just start the address at the '.' e.g: '.slashdot' list all the slashdot bookmark/history entries Other than that, I've hardly noticed a difference between the handling of addresses in FF2 and FF3.

Re:Why would anyone use FF2?

[SuseLover]

Not for me. FF2 is/was the most stable browser I have been running for past couple years. Now that I am using FF3, every other video plugin crashes on me. I can no longer go to trailer.apple.com to watch HD trailers (still works fine w/FF2 though). FF3 is noticeably slower on my system (Ubuntu 7.10/i686/2.4GHz) than FF2. Even though I will lose anti-phishing functionality in FF2, moving to FF3 will cause me to lose even more supported add-ons than that.

Re:Why would anyone use FF2?

[i.of.the.storm]

Most addons that don't use the bookmarks system will probably work unmodified (aside from bumping the compatible version) on Firefox 3, since that's the main area of API change. You can use something like Nightly Tester Tools or MRTech Toolkist to force compatibility. I've never had working video plugins in Firefox anyway besides Flash video players I guess. But I suppose the speed issue varies from system to system, Firefox 3 has been noticeably faster on my computers than Firefox 2 ever was, and uses significantly less RAM.

Why bother?

[Ambvai]

I consciously refused to upgrade to 3.0-- a number of my extensions and scripts don't work right and it's incredibly ugly in my opinion. Workarounds/alternative settings exist, I'm sure... but how much are people really missing out on by refusing the updates?

Re:Why bother?

[andy9701]

Have you checked back to see if your extensions/scripts have been updated to work with FF3? I could see that being the case right around when it was released, but hopefully they should be updated by now (assuming that they are still actively developed).

There are a variety of themes that you can use to make FF less ugly - I don't like the default theme myself on Windows (the default Mac one is fine; I'm not sure about the default Linux theme). Personally, I like Qute when running on Windows (it was the default theme during the pre-1.0 days, if you were using FF back then). I'm sure there are other themes that make FF less ugly, as well.

Personally, on OS X at least, I've found FF3 to be much, much better than FF2. It's very stable, and uses a lot less memory. I only have about 5 extensions installed, but I haven't had any problems with it at all since its release (aside from some extension oddness, but that is hardly Mozilla's fault).

Re:Why bother?

[Wansu]

Thus far, I haven't found any effective way to clear FF3's location bar. Dubbed the "Awesome bar", it remembers URLs of certain sites you've visited. The last time I tried it, clearing private data did not clear the location bar. I tried several settings changes that were suggested. One change will cause FF3 not to display these URLs but they are still stored. If you change the setting back, they are all still there. Apparently, the "Awesome bar" feature was so highly thought of that none of the developers considered that a number of users might not appreciate it's privacy implications.

Re:Why bother?

[BobReturns]

Why do you want to change it? I find it quite a useful (Might go as far as saying awesome) feature myself. Unless you have truly major privacy concerns (Wife & a porn addiction?).

Re:Why bother?

[ShakaUVM]

>>I consciously refused to upgrade to 3.0-- a number of my extensions and scripts don't work right and it's incredibly ugly in my opinion

Yep, and yep.

For me, merging the left and right arrows was the biggest issue for me.

Re:Why bother?

The awesomebar displays items from your history as well as your bookmarks. Removing items from either will "remove" them from the awesomebar.

Re:Why bother?

[Richard_at_work]

The 'Awesome Bar' is one of the things I hate about FireFox 3 (and the hate list isn't all that big).

Thanks, Mozilla, for deciding that I need to change my tried and tested browsing habits of 15 years, simply because you think your way is better - you could have at least given us a way to revert to the old url bar behaviour, but you didn't.

And yes, I've installed various extensions, I've tweaked the about:config and no, it doesn't get the behaviour anywhere near FF2 - infact, some of it is just plain broken, like having the 'browser.urlbar.matchOnlyTyped' setting set to true still allows the url bar to match on non-typed urls.

It sucks.

Re:Why bother?

[compro01]

The addon NoUn Buttons fixes that.

Re:Why bother?

[Plutonite]

I don't understand how you don't appreciate the feature (which I think is the most beneficial addition to browser tech since tabs), but you can simply rid your computer of browsing history and that should do it. It forms queries from what you type, and I haven't checked but it looks like it has an index of those queries as well, stored somewhere under it's installation folder (it adapts to your choices so it must store query history).

Seriously though, take off the tin foil hat and try it out. It's awesome. I don't know why it took them so long to figure out that human beings are not meant to remember URL strings or type them verbatim in a casual environment. In fact, maybe the next step should be adapting the google search bar to suggest pages you haven't even visited yet(as opposed to auto-complete, which comes up with query suggestions), based on the query/segment you are typing. It shouldn't be too hard to tune. That way, google can mind read both your searches and your URLs! Yay! *gulp*

Anyway, you can always install another bare bones browser for any shady activity you want to engage in.

Re:Why bother?

[mR.bRiGhTsId3]

Thats odd. Maybe a glitch in the clear private data. I've done into the history and deleted things manually, they are then gone from the bar.

Re:Why bother?

[Culture20]

oldbar is the closest approximation of the old location bar's function. Close enough that I finally made the jump to FF3 (the mid Dec deadline helped a little too).

Re:Why bother?

[caitsith01]

I don't understand why you can't understand that some people don't like this 'feature'?

It's one thing to say you like it, but another thing to attack others for not doing the same. Grow up and accept that it is a legitimate criticism of FF3 that it forces users to adopt a particular auto-complete system for the address bar which runs contrary to years of established practice.

As for "install another bare bones browser", I think you'll find it's called Firefox 2 and it's all you need...

Re:Why bother?

If you look more closely, you will notice this "history" includes bookmarked pages.

Re:Why bother?

[Richard_at_work]

As noted on that page, it doesn't change the algorithm - and thats what I hate about the 'Awesome Bar'. You aren't the first to recommend it.

Re:Why bother?

[RealGrouchy]

I don't get what all the hate is about for Mozilla doing this. It's Google's protocol, which they are deprecating, if TFAS is accurate. All Mozilla is doing is keeping people from inevitably getting "cannot connect to anti-phishing server" messages once Google discontinues it.

- RG>

Re:Why bother?

It sucks.

No, it doesn't.

What IS true is that you're unwilling to change your browsing habits and therefore unable to even so much as look at the new location bar. Which is fine, of course - you don't have to use it, you don't have to like it, you don't even have to try it.

But that doesn't mean it sucks. It merely means you didn't even give it a chance and instead instantly dismissed it because it's new and different and not what you always used.

Re:Why bother?

Clear private data does in fact clear the awesome bar if you clear your history. If specific entries offend you, you can delete them directly from the bar via shift-delete so you don't have to wipe out your whole history.

Re:Why bother?

[16384]

I use the old bar and hide unvisited add-ons, and set the maxRichResults to 48 or so. The Old bar merely changes the appearance of the bar to match the old one, but the Hide unvisited add-on removes all the clutter from the results, so that the remaining matches are actually useful.

Re:Why bother?

What IS true is that you're unwilling to change your browsing habits and therefore unable to even so much as look at the new location bar

Different poster from above, however...

Last time I checked, I am the one using the software, the software should be doing what I want, not forcing me to do what it wants.

But that doesn't mean it sucks. It merely means you didn't even give it a chance and instead instantly dismissed it because it's new and different and not what you always used.

If the software removes features vital to the user, yeah, it means the software sucks. I also waited a couple years to migrate from GNOME 1.2 to GNOME 2.x because 2.0 stripped out too much stuff that I considered vital and it took a long time for things to trickle back in. Even now, there are things I miss from the old days but I reluctantly use the current version since everyone else (in terms of apps) has moved on.

Not everyone wants new and shiny... and stripping existing features without consideration for their use reeks of arrogance, much like your post. Do what the software tells you to. Do what the devs tell you to. You aren't the user, you're our pawn. Now stroke our egos.

I'm still using Firefox 2.0.18 for one reason... the "awesome" bar. I've tried using it for a month and I flat out can't stand it. I have very organized bookmarks and rarely enter URLs in the address bar. When I do, I don't want the software getting in my way (and no, oldbar doesn't revert the functionality)

Re:Why bother?

[jgalun]

I've been using Mozilla since M12 or so, but the awesome bar drives me crazy. If I start typing "nytimes," I want it to find www.nytimes.com. I don't want it to find a blog entry whose title is "NYTimes Fails Again" or some page at the nytimes that I visited more recently than the homepage (like www.nytimes.com/oped/krugman14.html).

I know the sites I browse to. I just want Firefox to autocomplete to the domain. I don't need it to search my browser history for me, because I know where I want to go.

I'm not saying that the Awesome Bar is bad, or attacking people who do like it. I just don't like it, and I finally decided recently to downgrade back to 2.0. I hope Firefox 3.1 gives us a lot more control over how the Awesome Bar operates.

Re:Why bother?

[AlXtreme]

The 'Awesome Bar' is one of the things I hate about FireFox 3 (and the hate list isn't all that big).

Exactly! Mozilla, kill the Gruesome Bar and I might give FF3 another look.

Until then, you can pry FF2 from my cold dead hands.

Re:Why bother?

[Plutonite]

But it doesn't! You can always be dick and type the whole URL out, it won't stop you. It probably just sets a variable "userIsSadistic" or something. Jeeze.

Re:Why bother?

It learns. Visit nytimes.com a couple of times using it and it will rank that choice higher than a more recent one as you say. It is only annoying once you start using it, but soon all your best choices will rank at or near the top. Perhaps domain-only searches should be an option though (although it has helped me many times when I did not know the URL but I did know other info about the page).

Re:Why bother?

[caitsith01]

But it doesn't! You can always be dick and type the whole URL out, it won't stop you. It probably just sets a variable "userIsSadistic" or something. Jeeze.

You don't get it do you? In FF2, if I want (say) google, I can type g+[enter] in the address bar and rely on the fact that Google is my most commonly visited site with an address starting with 'g'. If I need more precision, one or two letters is usually enough.

Now if I type 'g' I get a random range of options from my bookmarks, history etc which contain the letter 'g' anywhere in their name or URL. THIS IS NOT USEFUL. More to the point, it's not the behaviour I want, and I know many, many other Firefox users agree (just do some Googling to see the epic flame wars).

Also, what if I want my browser to maintain a history, but I don't want it flashing randomly across my address bar in moderate detail when I type something in? What if I want to bookmark things, but don't want the contents of my bookmarks advertised on screen when I want to type in a URL?

Re:Why bother?

[Shikaku]

*ring ring ring*

https://addons.mozilla.org/en-US/firefox/addon/7637

Old location bar works with the algorithm and appearance.

http://www.fileden.com/files/2007/5/14/1079307/old_location_bar-1.3-fx.xpi

If you don't want to register to install it.

Re:Why bother?

[barrkel]

Still not there:

• Restart Firefox
• AllCookies - dump Cookies
• A simple cookie file that can be read and written by third-party applications

It's the cookie problem that I have biggest issues with. Sqlite was the biggest problem when FF 3 first came out, but it has since receded somewhat.

Since I don't use AwesomeBar at all, I would be very glad if Sqlite was ripped out and nice, easy to use text files were restored.

Re:Why bother?

[barrkel]

Great. Rather than being correct first time, you must teach this unruly dumb kid how not to apply its stupidity.

What's more it can't learn the rule; it needs to be taught repeatedly, again and again for every site.

Re:Why bother?

Clearing the history does infact work. It will always remember your bookmarks though.

So that nasty porn site that keeps appearing when you start typing something in the bar causing you some embarressment is because you have bookmarked it dumb fuck!

Re:Why bother?

[Plutonite]

Look, do you think I would be using FF3 if I could not (after allowing the program to adapt it's counts/indices) find google.com or any other website with relative ease within a week of using the thing? Of course it doesn't rank everything right out of the box..it's a complex piece of software. Initially you will get the "mess". But now when I type "goo" I get both google.com and gmail and maps.google.com and all the things that I typically use. Just because it doesn't restrict itself to domain names doesn't mean it's not very well implemented or incredibly useful. In fact, there will be many cases where the domain is hosted on something nonsensical but the page *title* is easy to remember, and you might not get it via a quick websearch because it's ranked so low by google. Like a web portal for your university. If you didn't lose your patience with it so quickly and you let it learn your preferences you wouldn't know how to live without it now. But each to his own.

Re:Why bother?

[dryeo]

Thanks, Mozilla, for deciding that I need to change my tried and tested browsing habits of 15 years, simply because you think your way is better - you could have at least given us a way to revert to the old url bar behaviour, but you didn't.

Perhaps you should try Seamonkey ver2. Same rendering engine as Firefox, most extensions work fine and the address bar works much the same as always.
I also personally find it faster then Firefox.

Re:Why bother?

[PitaBred]

It doesn't stop you from typing in the whole URL. Isn't that what Firefox 2 does? Just gives you a text box? Firefox 3 only shows some extra info, and if you don't want it, is it really that hard to ignore? I find it's much nicer, especially when I remember a page title, or a product, but can't remember the URL I was at and didn't save a bookmark.

Re:Why bother?

[sumdumass]

How about looking to see if I could afford a diamond reckless and earrings for the wive and after deciding it costs too much, she ends up seeing the awesome bar and now her friends tell me she it expecting them for Christmas.

A little less insidious now isn't it. As long as you have one thing that you want to keep secrete from one person, you have a reason for privacy. It doesn't have to be porn or anything like that. It could be researching a medical condition that you don't want people to know that you have been diagnosed with. It could be anything.

Re:Why bother?

[Repossessed]

like having the 'browser.urlbar.matchOnlyTyped' setting set to true still allows the url bar to match on non-typed urls.

Matching only URLs you typed out doesn't sound like the old bars behavior to me, as I took advantage of it matching all URLs visited to look at my history for a given site. Or do you mean that 'browser.urlbar.matchOnlyTyped' works in 2 but not 3?

Re:Why bother?

Apparently, there is a privacy mode planned for Firefox 3.1 that will stop all recording to the history (and Awesome Bar) while activated (along with several other privacy measures).

Until then, I've been using Safari's Private Browsing mode for that type of thing.

Re:Why bother?

[jesser]

Firefox 3.1 has a slew of new options to tweak the address bar autocomplete behavior, mostly in about:config. Now is the time to try it out and file bugs if the tweaks don't meet your needs, because Firefox 2 isn't going to be a viable option for much longer.

Re:Why bother?

[BobReturns]

This being the reason that my computers all have user accounts for people who use them.

Re:Why bother?

[BruceCage]

but how much are people really missing out on by refusing the updates?

*shakes his head*.

This is still Slashdot is it? Here's a good one, security updates! Think browser exploits, here's a list.

Re:Why bother?

[sumdumass]

Ok, and you jump off the computer to answer the phone or take a call and she pops on for a minute to check the weather or see which store has the sale this weekend.

BTW, not all marriages are to the point of comfort that the spouse is willing to let the other spouse have secretes or accounts that they are locked out of. Besides, it doesn't even have to be like that. Suppose you were showing her something and accidentally click on the awesome bar and she see's you have been to ex-wives.com, or http://www.match.com/ or Eharmony, or some jewlry store's site or whatever. I mean it can happen right in front of you.

Re:Why bother?

[BruceCage]

Wouldn't the solution be to create a separate profile to do your "sensitive browsing" (which clears all private data after you're done)?

Re:Why bother?

[sumdumass]

Lol... and that does exactly what when you are distracted or someone looks over your shoulder and you click on it?

I mean seriously. You can go through all the motions in the world to have a secrete web sessions and hide it from everyone, but as long as this is there, then it posses some sort of privacy risks. And this is despite the idea that your wife or live in girl/boy friend isn't likely to be keen on you having the secret surfing profile that they are forbidden to see or know anything about. This isn't a case of your coworker or a sibling expecting the same privacy.

Granted, some other halves might be "ok" with you having secrets, But I haven't found a woman yet who is "ok" with you keeping secrets from her, especially right in front of her. Try telling her that she can't shoulder surf. Try telling her that she can't see your browser profile or that when she uses the computer she must log out of your account (if you didn't already) and log into the one created for her because you don't want her to know what your doing. Ok, lie to her and tell her it isn't because you want to keep secrets, it's because you don't trust her to be savvy enough not to fuck something up. It will have the same ending which is probably going to be you getting laid the old fashioned way with the five knuckle shuffle and doing your own dishes again.

Re:Why bother?

As far as I can tell clearing all your settings with 'Clear private data' only removes your browsing history not your bookmarks. Since the location bar uses both to build up its list it's easily explained why you still see "stuff" in the location bar after removing all private data. At least that's how it works on my pc(s).

Re:Why bother?

[BruceCage]

Everything you bring up to somehow prove your point that the awesome bar is a privacy risk makes no sense at all. I can tell you this much, your problems don't lie in the awesome bar.

Re:Why bother?

[sumdumass]

You must be a fanatic or something and are incapable of reason from in the real world. Well, this is slashdot so it may be that you have never had a girl friend or wife that pays attention to you making the records in the awesome bar a risk even if you aren't a looking at porn or whatever. I can understand how someone who has never had a girlfriend over to the house would think that saying "no, you have to log out of my account and log into your own so you can't see anything I was doing" is acceptable. But if you think about it, that might be one of the reasons that you are alone.

Here is a hint, there is a reason that people clear the stored text fields and URL locations. When something doesn't allow that, it violates that same reason. When you look for the settings and controls in FireFox or any other web browser, the ability to clear that information is listed under privacy and security. If that is there, then what makes the awesome bar any different or special in that is doesn't need to apply to those same rules or idea set out so long ago? Of course the answer to that is nothing is special about it in that regard. And yes, the ability to create multiple profiles and user accounts existed long before that stuff was added to the browsers.

Because you can't or don't see something doesn't mean it isn't there. If you go through life like that, your going to start running into things that hurt you.

Re:Why bother?

[BruceCage]

If that is there, then what makes the awesome bar any different or special in that is doesn't need to apply to those same rules or idea set out so long ago? Of course the answer to that is nothing is special about it in that regard.

Basically ignoring the rest of your post (though I had an hilarious time reading it). The awesome bar has not been exempted from the Clear Private Data functionality (just tick "Browsing History"). However, it does search bookmarks which obviously aren't cleared.

Re:Why bother?

[sumdumass]

Well, no. It doesn't. Unless they added it to some updated version that I don't have. This is actually what the op was claiming which prompted me to. Respond to the insightful musings (just jump through hoops wearing bells and whistles, a little blood of a dead chicken, and put in user accounts or profiles or whatever that shouldn't be needed) just to work around the issue without ever addressing that issue.

Yea, I just checked, I cleared everything the clear private data tool allows. And the awesome bar still has URLs pointing to my bank, my internet email accounts, south park studios and several other places. I know I didn't visit them after just clearing it. There is even an FTP link with an old user name and password embedded into the URL.

Re:Why bother?

[BruceCage]

WORKSFORME

I'm led to believe you're just seeing bookmarks.

Re:Why bother?

[sumdumass]

So your saying that books marks separate from your regular book marks are kept in the Awesome Bar?

Otherwise, I don't know what your talking about. I don't have book marks that match the listings it is showing. Perhaps there was some bug or something introduced in a specific version or something. I'm not the only one with this problem, the op had it too and I'm probably sure other people have seen it. It isn't like we are making it up.

Re:Why bother?

[BruceCage]

So your saying that books marks separate from your regular book marks are kept in the Awesome Bar?

No I am not. I'm saying the AwesomeBar searches bookmarks.

It isn't like we are making it up.

;-) Find me a Bug # and I might believe you. Also try using a clean profile (firefox -P).

Hey... it's open source!

[jimbudncl]

Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

(sorry about all the commas... I have no idea why I used them)

Re:Hey... it's open source!

[mrchaotica]

(sorry about all the commas... I have no idea why I used them)

Wouldn't it have been easier to just delete them instead of writing that apology?

Re:Hey... it's open source!

You must be on your comma.

It's like being on your period. But with less bitching.

Re:Hey... it's open source!

[jimbudncl]

Perhaps, yet (Subliminal msg) some unknown (Subliminal msg) force was (Subliminal msg) influencing (Subliminal msg) my fingers.

Re:Hey... it's open source!

I had an ex-girlfriend that was always on her semi-colon. You can imagine what that's like.

Re:Hey... it's open source!

[smellotron]

Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

(sorry about all the commas... I have no idea why I used them)

You're reading Slashdot from a typewriter?

Re:Hey... it's open source!

No,, it, wouldn't,. Commas, are, too much, fun. Who, doesn't, like, ,commas?

,

Re:Hey... it's open source!

[noidentity]

Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

(sorry about all the commas... I have no idea why I used them)

Any idea why you didn't just use the delete key to remove them before posting?

Re:Hey... it's open source!

[jimbudncl]

I guess my joke was lost on everyone.

http://science.slashdot.org/comments.pl?sid=1054103&cid=26021769

Re:Hey... it's open source!

If you don't know why you used them then why not delete them instead of commenting on the fact it was wrong in the first place?

Re:Hey... it's open source!

Don't worry its ok to channel the Shat at times.

Re:Hey... it's open source!

So I guess if you had an ex-girlfriend, that must mean she's once again your current girlfriend?

Well, at least it's clear

Who pays the bills over at Mozilla.

Re:Well, at least it's clear

[Ian+Alexander]

Google is going to stop supporting the version of the protocol that FF2 relies on. They could upgrade the version of the protocol 2.0 uses (they're doing it with 3.0) but it's pretty near EOL so they're not going to bother. This is all in the article.

My Phishing filter ends at my common sense..

I don't need or want an integrated Phishing filter, so I don't care if support it dropped.

The reason many have not upgraded is that various add-ons we use have not been upgraded, or support was discontinued.

Re:My Phishing filter ends at my common sense..

[visualight]

Mod that man up!

1)So _take_ you crappy old phising filter and _go_ home.

2)There haven't been any good changes in firefox since gtk. I hold my breath during incremental 2.0.n updates and watch carefully for any sign of ff3 in global updates.

A few years ago firefox could have changed everything. If really wanted everyone to leave flash for svg, they could have pulled that off. Etc.

I'm going to konqueror or opera.

Peeps still on 2.x don't care about security

Once the next 3.x minor release comes out everybody will know how to exploit them. There will be no more patches, they're free for all game. And please, don't even mention the ridiculous OS not supported argument.

Fix

# echo ">www-client/mozilla-firefox-2.0.0.18" >> /etc/portage/package.mask
# echo "127.0.0.1 www.google.com" >> /etc/hosts

There, problem solved

Re:Fix

[mR.bRiGhTsId3]

Does that mean you never go to google in the first place?

Re:Fix

If you update your /etc/hosts like that, then yes, that is what it means. But although I suggested this fix, that doesn't mean that I will apply it myself;)

How to get people to upgrade to FF3?

Presumably people aren't upgrading because that kid down the street came by and fixed their PC one day, removed virii, etc, and installed FF2. Now, a year later, these people still don't know they're using FF, IE, or whatever, let alone that there is a new version of FF.

What can be done to communicate to these people, the ones most vulnerable to these attacks, that they need FF3?

Re:How to get people to upgrade to FF3?

[WiFiBro]

That seems to be the best explanation for all people still on FF2.

Re:How to get people to upgrade to FF3?

[larry+bagina]

I have a better explanation: awesome bar.

Re:How to get people to upgrade to FF3?

[Mr+Z]

How about that periodically appearing "Upgrade now to Firefox 3" dialog that keeps coming up in Firefox 2?

Re:How to get people to upgrade to FF3?

[Ian+Alexander]

Which is easily disabled with the oldbar addon. The people who care about the awesomebar are almost certainly technically-literate enough to install an add-on.

Re:How to get people to upgrade to FF3?

Yea and pre WinXP users can't upgrade either.
(There are still millions out there around the world). Mozilla must be hoping they don't all upgrade to Opera, which does support Win98, etc.

Re:How to get people to upgrade to FF3?

[__aagctu1952]

Which is easily disabled with the oldbar addon.

No. No it isn't. Quoth the oldbar site:

Note that the underlying autocomplete algorithm is the Firefox 3 algorithm, not the Firefox 2 algorithm. oldbar only affects the presentation of the results.

The presentation isn't the problem - it's the "search everything but the kitchen sink and suggest a bunch of irrelevant results" behavior that annoys people. AFAIK, there is no existing plugin that brings back the proper autocompletion behavior.

Re:How to get people to upgrade to FF3?

[WiFiBro]

There are some settings to be changed under about:config - my FF3 behaves well now.

Re:How to get people to upgrade to FF3?

[Toonol]

The oldbar addon, while it makes the situation much better, doesn't completely fix the search and url retention problems with the awesomebar. Esthetically, it fixes the looks, but not every aspect of the behavior.

Re:How to get people to upgrade to FF3?

[Shikaku]

https://addons.mozilla.org/en-US/firefox/addon/7637

Old location bar works with the algorithm and appearance.

http://www.fileden.com/files/2007/5/14/1079307/old_location_bar-1.3-fx.xpi

If you don't want to register to install it.

Re:How to get people to upgrade to FF3?

[karstux]

Because installing xpis from an untrusted source is such a good idea...

Re:How to get people to upgrade to FF3?

[karstux]

You're not seriously suggesting to have a Win9x computer connected to the net, are you? There haven't been security updates for the OS for over two years now. Upgrade already, to Linux if you can't or won't afford a commercial OS.

The real "problem" is

[El+Lobo]

The word of the master is the law. I will get moded a troll for this but that's nothing but the truth. Google has injected too much cash in Firefox, so they unfortunately need to obey as ships after only one word of command. Open Source is great, but corporation-financed open source... hmm...

Re:The real "problem" is

[El+Lobo]

Hmm... as sheeps, not as ships of course... Sorry..

Re:The real "problem" is

[FlyingBishop]

Google has too much power, but you're just being ridiculous. This is the last FF2 security release ever. Leaving in an automatic information query to a dead server would be a GAPING security hole.

Re:The real "problem" is

[theodicey]

What's Mozilla supposed to do, in your opinion?

Run their own phishing blacklist? Is that really a good use of their time?

Maybe they should sue Google, without any contract having been broken?

Or break into their data center and force them at gunpoint to turn the machines back on?

Mozilla should have gotten Google to contractually agree to keep the servers running through the end of life of Firefox 2, and they didn't, which is their screwup. But you're just conspiracymongering.

Re:The real "problem" is

[Toonol]

I don't quite agree. I don't think this is a case of Google having undue influence over Mozilla. Google is shutting off the service they provided. What's Mozilla supposed to do?

Now, I think Mozilla has screwed up a lot lately. Some decisions they made for the 3.0 series reek of the same corporatism force-feeding of unpopular options that we get from other big annoying software companies. But this wasn't one of them. I'm sure everybody understood Google wouldn't support that feature forever.

Re:The real "problem" is

[buchner.johannes]

Google has too much power, but you're just being ridiculous. This is the last FF2 security release ever. Leaving in an automatic information query to a dead server would be a GAPING security hole.

No it isn't. Since I bet they use SSL, the dead server is no risk at all.
If you want to continue using FF2 with phishing protection, why don't you write a addon that provides it with the new google format?

Re:The real "problem" is

[ChatHuant]

Hmm... as sheeps, not as ships of course

It's obvious you never tried to command sheep. The damned things just won't listen!

Re:The real "problem" is

What's Mozilla supposed to do, in your opinion?

If you'll allow me to chime in on your discussion...

I think what Mozilla *should* do is push out a 2.0.0.19 update that adopts the browser to the new phishing protection protocol used in Firefox 3.

If that's too much work for them, then the next best thing - which is also still acceptable - would be to release an update that does not disable anything but instead *notifies* the user of the fact that the phishing protection in Firefox 2 will stop working and that they should upgrade to Firefox 3. Then, when Google really turns off the old protocol, push out a 2.0.0.20 update that notifies users again that phishing protection *has* stopped working, and that it's Google's fault, not Firefox's.

People who still stay with Firefox 2 will have to live without phishing protection, then, or upgrade. It's their choice; Mozilla would've done what they can.

Re:The real "problem" is

[jesser]

I'm pretty sure it uses some kind of lightweight in-band authentication instead of SSL. But even if it used SSL, pings to a dead server would still needlessly waste bandwidth and expose SSL-handling code to potentially malicious data.

I don't understand why

[WTF+Chuck]

I don't understand why they just don't make the anti-phishing functions a separate library that can be updated independently of whatever program that is calling it.

Re:I don't understand why

Because that is not what Google pays for?

If it wasn't for the Awful Bar

[dougf317]

I'd switch to 3.0 If it wasn't for that convoluted Address bar. To me that was a big step backwards in simplicity and functionality. IF they really want to advance Firefox remember K.I.S.S. But apparently not.

Re:If it wasn't for the Awful Bar

[oddball33]

That's the same reason I haven't switched.

Re:If it wasn't for the Awful Bar

[SignOfZeta]

1. Go to about:config.
2. Set browser.urlbar.maxRichResults to 0 to disable the awesomeness.
3. If you don't like the style of the once-Awesomebar, install the Oldbar extension.

I don't mind the Awesomebar, but those are just my two cents. Then again, I'm still with Safari, holding out for a Mac version of Chrome.

Re:If it wasn't for the Awful Bar

The bar is awesome. It has "saved" me countless of times when I remembered a sites name/title but not the address (and forgot to bookmark it).

Speaking of bookmarks, I almost never use them anymore. I just type a few characters of the site name (NAME not address) and hit enter.

Re:If it wasn't for the Awful Bar

[AuMatar]

Or he can just not upgrade and not bother with obscure settings.

What you need to do is give people a reason *to* upgrade, not find ways to get around reasons not to upgrade. What does FF3 give an FF2 user that is worth the hassle and changes they don't like? Upgrading is a PITA, people don't do it without a reason.

Of course, personally I stick with Seamonkey- the UI is simple, easy to use, doesn't have idiocies like the awesome bar or the separate search bar. Firefox has a long history of UI experimentation and a good 90% of them absolutely suck. I keep away from it unless my only choice is Firefox or IE.

Re:If it wasn't for the Awful Bar

[Shikaku]

https://addons.mozilla.org/en-US/firefox/addon/7637

Old location bar works with the algorithm and appearance.

http://www.fileden.com/files/2007/5/14/1079307/old_location_bar-1.3-fx.xpi

If you don't want to register to install it.

Re:If it wasn't for the Awful Bar

you sound like a old luddite complaining about those dang kids and their "mobile telephones" and how it's a big step backwards in simplicity. the telcos should have remembered K.I.S.S. but apparently not.

Re:If it wasn't for the Awful Bar

[Jackmn]

What does FF3 give an FF2 user that is worth the hassle and changes they don't like?

Firefox 2 is no longer going to receive official patches, even for severe vulnerabilities. That is the number one reason to switch. Running an unmaintained browser is never a good idea.

Re:If it wasn't for the Awful Bar

[AuMatar]

Yet another mark of incompetence against the Mozilla foundation then, although I'm sure it will continue to be supported by hobbyists. The fact is that their new version is inferior to many people. With good ad blocking and anti-virus software (or any non-windows based OS for that matter) most people, including most techies, would rather run the preferred but insecure browser. Hell, most users neither know nor care that new versions come out, most of the software on my parent's machine, including firefox, is 3-5 years old and unupdated. It works, why mess with it?

Re:If it wasn't for the Awful Bar

[Jackmn]

Yet another mark of incompetence against the Mozilla foundation then,

Further maintaining Firefox 2 would substantially reduce the number of man-hours that could be invested into developing Firefox 3. It would be a waste of effort to little good effect. If enough people are interested in Firefox 2, then they can maintain it themselves.

With good ad blocking and anti-virus software (or any non-windows based OS for that matter) most people, including most techies, would rather run the preferred but insecure browser

Anti-virus software is a band-aid. It does not offer any sort of real protection, only a false sense of security. If you are running a browser with known vulnerabilities then you are at risk, irrespective of your choice of operating system (assuming the vulnerability is cross-platform) or your choice of anti-virus software.

It works, why mess with it?

Because it places any private information on their computer at risk. In addition, it leaves them vulnerable to becoming a zombie on a botnet. Uninformed users running outdated software is one of the reasons botnets are as big a problem as they currently are.

Computer security is a process, and part of that process is keeping on top of security updates.

Re:If it wasn't for the Awful Bar

[AuMatar]

Further maintaining Firefox 2 would substantially reduce the number of man-hours that could be invested into developing Firefox 3. It would be a waste of effort to little good effect. If enough people are interested in Firefox 2, then they can maintain it themselves.

Nice in theory, unworkable in practice. People won't upgrade because they have no reason to. Especially when the upgrade is a major version number. You're far more likely to get people to upgrade a point release. And the people who won't upgrade won't maintain it themselves, or likely realize it needs maintenance. This is a *BAD* decision. Especially given that FF2 is just 2 years old.

Not the first bad decision made by the Mozilla Foundation. They make a habit of it. I respect their coders, but their management is god damn awful.

Anti-virus software is a band-aid. It does not offer any sort of real protection, only a false sense of security. If you are running a browser with known vulnerabilities then you are at risk, irrespective of your choice of operating system (assuming the vulnerability is cross-platform) or your choice of anti-virus software.

No, it warns you when there is a problem (assuming that the problem isn't a zero day, in which case there is no protection). Saying anti-virus is a band aid is like saying a doctor's visit when you're sick is a band aid- just because it's after the fact doesn't mean it isn't valuable.

Computer security is a process, and part of that process is keeping on top of security updates.

And most people don't see it that way. A computer is a tool- they don't want to, don't care to, and don't have the knowledge or skills to keep one secure. And I can't blame them- I have the knowledge and skills and don't really care much. I keep up only on my linux box, if my gaming box is part of every botnet on the planet I don't give a shit. And truthfully, I only update the linux box every few months- the odds that there's a linux vulnerability, that will effect my box, and that will lead to financial information leaking (the only thing I'd actually care about, someone can steal my vacation photos if they want) is so close to 0 that I'd rather worry about realistic threats, like being hit by lightning.

The idea of security as a process, for anything other than large organizations, is hopelessly broken. The sooner people realize that and make design and support decisions with that in mind, the sooner we can actually get some semblance of working security.

Re:If it wasn't for the Awful Bar

[Beezlebub33]

I, for one, am amazed at your persistence. Do you have a macro for that?

Re:If it wasn't for the Awful Bar

[Shikaku]

Naw, I just hate whiners who didn't take the 5 minutes it took me to find this.

Re:If it wasn't for the Awful Bar

[Jackmn]

Nice in theory, unworkable in practice. People won't upgrade because they have no reason to. Especially when the upgrade is a major version number. You're far more likely to get people to upgrade a point release.

Then they lose out. Mozilla is not responsible for the decisions of others, however poor those decisions may be.

And the people who won't upgrade won't maintain it themselves, or likely realize it needs maintenance. This is a *BAD* decision. Especially given that FF2 is just 2 years old.

Maintaining old software in addition to developing new software requires a large investment of time. This accomplishes nothing of worth in this case - FF 3 is capable of doing everything FF 2 can, and is entirely free for the taking.

No, it warns you when there is a problem (assuming that the problem isn't a zero day, in which case there is no protection).

You cannot adequately discern whether or not a system has been compromised from within that system. The software you are using to try to determine whether or not you have been compromised may have been tampered with. This is the basic idea behind a rootkit - the tools a user can use to determine the state of his system are changed to hide the presence of the rootkit (or the APIs all such software will depend on are modified to hide its presence).

Anti-virus software depends on blacklists and heuristics, which are going to be nearly useless for dealing with a remote exploit. AV software is a kludge.

And most people don't see it that way. A computer is a tool- they don't want to, don't care to, and don't have the knowledge or skills to keep one secure.

How they wish to see things is largely irrelevant. That is not the way reality is, and it is most likely not the way it is going to be any time in the near future. There are operating systems that make staying up to date nearly painless (such as OS X), but the user is still going to be responsible for his machine.

if my gaming box is part of every botnet on the planet I don't give a shit.

Frankly, any machine that is detected as being a part of a botnet should have its internet access cut off until the issue is resolved. Spam is as bad as it is due in large part to the number of machines operating in botnets.

The idea of security as a process, for anything other than large organizations, is hopelessly broken. The sooner people realize that and make design and support decisions with that in mind, the sooner we can actually get some semblance of working security.

Security as a process is the only way security works in reality. Complex consumer software is going to have bugs, period. Some of those bugs are going to be security vulnerabilities. Those bugs will have to be addressed through patches, which will need to be installed. There are no alternative solutions to this. Privilege separation, trusted computing, and other methodologies and technologies can mitigate this to some degree. User-friendly automatic updates can make things more manageable. However, in the end, software still needs to be updated.

RHEL4 support anyone

[Mr+Z]

I still use Firefox 2 at work because the Firefox 3 downloads won't run on Red Hat Enterprise Linux Workstation 4. Seems to want libpangocairo, as I recall. Also, a couple plugins I like haven't been updated for Firefox 3 (FLST and Open Link In... come to mind).

I wonder how many of the 25% are in similar situations to mine?

Re:RHEL4 support anyone

I don't have the RHEL 4 WS "channel" but I can see that RHEL 4 ES and CentOS 4 both have Firefox 3, it doesn't sound credible that they have "forgotten" that just in WS!

And if they have, just get it from CentOS 4 instead. Binary compatibility goes both ways, and since no RHEL ever had Firefox 2 you've already modified the standard setup :-)

Current version is 3.0.4-1.el4 so it's fully up to date and with three earlier 3.x versions they've clearly had Firefox 3 for a while (RHEL 5 switched earlier and have more intermediate versions).

The reason why they switched from Firefox 1.5 was that it had been discontinued and it was too much work to continue patch security problems on the old code base for something which wasn't a "core" part of the server OS.

Re:RHEL4 support anyone

[Mr+Z]

Well, I don't have any control over the Linux that runs on my corporate workstation. Firefox 3 isn't installed, and we're encouraged to run Firefox 2. I can't just go install RPMs on this machine.

I can, however, download the Firefox build from the website and run it myself. Except, of course, it doesn't run because of this library dependency. I suppose I could download the source and try to build Firefox, but honestly, I've got work to do and Firefox 2 already works.

Re:RHEL4 support anyone

[kelnos]

I wonder how many of the 25% are in similar situations to mine?

You're probably the only one.

No, seriously, think about it. The 25% figure includes people running Windows, Mac, and Linux. I'd bet Linux is the smallest bit of that, and I'd also assume (poosibly incorrectly) that Linux users are more apt to upgrade their software (when not prompted by an auto-update feature; the FF2 updater doesn't prompt you to update to FF3). Then take this likely-tiny fraction and reduce it further for people who are not just running LInux, but who are running RHEL WS 4. And a sibling poster notes that ES and CentOS 4 both have FF3, so yeah... could be just you.

Re:RHEL4 support anyone

[daeg]

Couldn't you extract just that library from an RPM and stick it in a path that Firefox would find it?

Re:RHEL4 support anyone

[Mr+Z]

I imagine it's not just one library. The GTK / GNOME libraries have a number of interdependencies such that I probably would need to make a parallel installation of the full set to make it work. I ran into similar problems with GIMP, which is why I haven't tried to rebuild that in years.

Re:RHEL4 support anyone

[tabrisnet]

No, as it will require/depend-on _other_ libraries that are also not available (or not in the correct versions).

Re:RHEL4 support anyone

[jdoff]

So just install Firefox 3 from RHN ('up2date firefox'). firefox-3.0.4-1.el4 is the current version of the package for RHEL 4.

Re:RHEL4 support anyone

[Mr+Z]

I'm not the administrator (nor would I want to be). Corporate IT goes through a long process of approving OS builds and package sets for the workstations, and they have, in their infinite wisdom, chosen to not include RH's Firefox RPM.

I suppose I could try finding that RPM and installing it in an alternate location.

That wasn't really my point though. My point is that I haven't bothered to upgrade because Firefox 2 works for me, and it's frustrating to upgrade to Firefox 3. Having been spoiled by easy upgrades in the past, I've decided it's not worth my time to jump through hoops to install an update if the installation doesn't "just work."

Re:RHEL4 support anyone

[BZ]

It's really your call whether you want to use a browser that's not getting security updates, especially when a newer one _is_ available and supported (through your existing support contract, event!).

You might want to point out the security issues here to corporate IT (which is sounding like it's being boneheaded to me).

Re:RHEL4 support anyone

[PitaBred]

RHEL5 is out. If you want to use old, EOL'd software feel free. Don't bitch if it's not supported or updated, though. Besides, do you ever actually use the phishing filter on FF2?

Re:RHEL4 support anyone

[Mr+Z]

I don't care about the phishing filter. I would like to move to Firefox 3. I don't really have control over what IT snapshots to for our design flows. They move very conservatively between OS and infrastructure releases to minimize breakage.

Re:RHEL4 support anyone

[Repossessed]

RHEL 4 is hardly EOL. RHEL 3 is still supported for that matter.

Re:RHEL4 support anyone

[smoker2]

I found the same issue when I tried to install on FC4. Ok, FC4 is old, but it works just fine for my purposes and upgrading will be more of a complete re-install. This is trying to install firefox 3 as downloaded from the mozilla site. I don't use the Fedora distros version of firefox.

Re:RHEL4 support anyone

[karstux]

Well, I'd say talk to your administrator. It's his job to keep your software up-to-date...

Re:RHEL4 support anyone

[Mr+Z]

As I mentioned elsewhere, the company has a slow moving approval process. They stay on a given release for a very long period of time to minimize issues with the wide array of software that we use for design. They don't care so much about web browsers since that's not a core part of what we do.

I believe they shoot for a 4-5 year operating window for an OS version they approve. I've had the OS updated 3 times on my Linux box at work, the most recent being a month ago to bring it to the RHEL WS 4 image that's on there today. It is "up to date" by our standards.

We still haven't moved to Vista even for our Windows machines. All our shiny new Windows boxes come with the corporate load of XP on them. I heard we're scheduled to move to Vista (or another OS) in ~2010.

Part of this is so that the same versions of a wide range of applications work on everybody's machine. This prevents widespread interoperability issues (and therefore license churn with a sort of "rolling upgrade"). Thus, we all run the same version of Office, for example, even though it's 5 years old. On the UNIX side, it's more a matter of using a small number of versions of various fiddly (and expensive) design tools.

Re:RHEL4 support anyone

[PitaBred]

...so you're complaining about FF2 support for a phishing filter you don't use being dropped?

Or are you complaining about your IT department not supporting FF3?

Either way, it really has nothing to do with the Mozilla organization, or Google shutting off these servers.

It must be made obvious.

This is bad because it WILL go unnoticed by users. Many will install the update thinking that it makes security better. They may never discover that they're actually worse off! For this reason, I think that on installation of this update, a window explaining the situation should come up, but not with a simple OK button because people tend to click those automatically without reading. They should have to enter a word in a messed up image in the same way that websites have you do it when you register, to avoid automated registrations, and in addition, there should be a question in bold print saying: Do you understand why this version is LESS secure? They should have to type YES in a field next to that question. Then it should say "Update to Firefox 3 for better security." Only then can they push OK. It should offer an easy link to version 3. It has to be so obvious and so clear that people won't miss it. I think this should happen the first three times that they start this latest Firefox 2.

Re:It must be made obvious.

[GravityStar]

aha. Ahaaahahahahaha. Hehehehehe. HAHAHAHAAHAHAAHAAHAHAAAAAAAA.

Wait a second, you were being sarcastic, right?

Re:It must be made obvious.

this guy sounds like my boss -_-

Mac Os X 10.2.8

[escudier0]

No Firefox 3 for Mac Os X 10.2.8 -> I'll keep Firefox 2 on my old Mac....

Re:Mac Os X 10.2.8

[BZ]

Honestly, given that your OS is not getting security updates I guess you don't need to worry much about your browser getting them....

Re:Mac Os X 10.2.8

If I understand http://support.apple.com/kb/HT2241">this article correctly, there have been no security updates for MacOS 10.2 since more than 4 years. I'd say you have more severe problems than a potential lack of browser updates.

Ridiculous

[blai]

Why not disable the whole browser already when you can disable a browser's functions? I can guarantee 100% switching to Firefox 3.

Re:Ridiculous

[Chabil+Ha']

Because contrary to your notion, it's an end-user's right not to upgrade.

Yet another example of the following aphorism:

Open Source != Socialism

Re:Ridiculous

[dasmoo]

You'd lose me. Firefox 2's self signed SSL behaviour is much nicer than FF3. Chrome's behaviour is also nicer in that respect. Dealing with the FF3 SSL behaviour would push me to one of the other browsers.

Slackers

[S77IM]

The browser is using an older version of the Safe Browsing protocol that Google will discontinue.

Wouldn't it be better to update FireFox 2.0.0.19 to use a newer, supported version of the Safe Browsing protocol???

Re:Slackers

Yes, except that FireFox 2.0 is only getting security updates. It could be argued that updating it to use a newer version of the protocol is a feature request rather than a security issue. I think I agree with that argument, as security in the context of software usually means things like buffer overflows, privilege escalation, etc.

Will anyone notice?

[drew]

I'm fairly certain that anyone who actually needs phishing detection probably won't even notice that it's gone, or won't know what it means. For example, people like my parents who only have Firefox because some well meaning geek installed it for them a year and a half ago...

Re:Will anyone notice?

[TeacherOfHeroes]

I use neither firefox nor windows, so I don't know for sure, but wouldn't the automatic updater have upgraded most of those people to Firefox 3 when it was released?

If that is the case, then the only people impacted by this would be those who deliberately refused the upgrade.

People on older distros

[sentientbrendan]

can't upgrade.

On Linux Firefox doesn't distribute RPM's or DEB's for the various major platforms, and most vendor's don't provide new software for distros once they've been released.

Also, getting firefox 3 compiled from source on older distros is incredibly difficult due to version skew of various libraries. I got most of the way there, and gave up.

People who use linux for work are often stuck on older distros due to long corporate maintanance cycle's. It costs them a lot of money to roll out a major update to thousands of machines, especially if you are developing software on top of them.

Thus, it really sucks that there is no way to put newer software on older linux OS's without running into library version hell. Especially since this is so easy on other platforms. After all, who has trouble getting software working on XP?

Re:People on older distros

[TheSunborn]

Why not just download the firefox binary, and unzip it to your home directory? Then you can just run it from there.

Re:People on older distros

[FlyingGuy]

Yep same problem here. Running SLES 10 sp1 and FF 3 requires GTK 7.x and GTK 7.x requires a whole host of lib updates. I tried valiantly to get them all updated and totally crapped my system. I had backed up everything so it was simple enough to boot from CD and restore back, but man what a PITA!

Re:People on older distros

[arizonagroovejet]

It's not that easy. You can download it and unzip it, but if your distro has a version of GTK older than 2.10 then Firefox 3 will not run.

Re:People on older distros

[kelnos]

GTK is only up to version 2.14.x now. Sorry, troll.

Re:People on older distros

[arizonagroovejet]

GTK 7.x? Are you from the future? Firefox 3 needs GTK 2.10 or newer. If you tried to update the GTK that comes with SLES 10 they you're doing it wrong. You need to build the newer GTK and install it completely separate from the GTK included with SLES 10. Try reading http://blogs.warwick.ac.uk/mikewillis/entry/of_firefox_3/ It's the first hit on Google for "Firefox 3 SLES 10" Incidentally SLES 10 SP 1 is out of support. You should be on SP 2 by now.

Re:People on older distros

[arizonagroovejet]

You call them a troll, but the only part of their comment that you can be sure is inaccurate is the GTK version number which could just be an error. Substitute in 2.10 for 7.x and it's totally believable. What they did (trying to update the included GTK and all the dependencies) wasn't sensible, but it's totally believable that someone who didn't know better tried to do it.

Re:People on older distros

And software compatibilities too. My RSA SecurID software doesn't support FireFox version 3. Neither does my Sonicwall EX SSL VPN.

Kinda stuck using FF 2.0 atm.

Re:People on older distros

[mpcooke3]

It's not a good long term solution to this general problem, due to the fact that other software could have dependencies on the 'deprecated' official distro version of firefox.

I'm not saying that anything does actually have dependencies on the official distro version of firefox or that they would rely on the anti-phishing feature but if this was an official package it could happen at some point. Therefore breaking a feature of a distro packaged piece of software and not offering an official distro upgrade RPM could be quite problematic. Maybe the distro should strip the anti-phishing feature if they rely on a 3rd party who might cut it off?

Re:People on older distros

[fredspeaking]

Could you not just statically compile FF3 at home (or find an equivalent third party build) on a newer distro?

Re:People on older distros

And people say the state of Linux program distribution isn't broken...

It's hard to fix a problem when people keep denying it exists.

Re:People on older distros

[ion.simon.c]

*points* *laughs*

A couple of days ago, T. Boone Pickens made me his business partner. He wants me to raise funds for his Texas wind farms. For only $500, you can get in on the ground floor of this amazing revolution. Moreover, I've been authorized to offer you 5% of future revenues to anyone who donates $1,500 or more.
Whaddya say? You game?

Re:People on older distros

For some reason 2.0.0.18 is the latest version showing in portage just after a --sync.. Say it aint so.

Re:People on older distros

[ion.simon.c]

Does this help?

http://blogs.warwick.ac.uk/mikewillis/entry/of_firefox_3/

Re:People on older distros

[ion.simon.c]

Does this help?

http://blogs.warwick.ac.uk/mikewillis/entry/of_firefox_3/

First hit on "Firefox GTK", btw.

Re:People on older distros

[twosat]

Same problem here. I tried to upgrade on Knoppix 5.1 and just gave up eventually. Same story with trying to install VLC. Ironically, I easily installed Firefox 2 and VLC on my old Windows ME computer. Is there no way to have the libaries to be self-contained like on Windows? How do we expect Joe Sixpack to upgrade his Linux applications if we computer people have trouble ourselves.

Re:People on older distros

[TeacherOfHeroes]

Firefox 3 relies on the Cairo (svg) and Pango (typesetting) libraries, which are included with and used by newer versions of the GTK (I thought it was >= 2.8, but meh). Especially when using older linux systems (like RHEL4) to which you do not have root access, trying to build all of the updated libraries in a little bottle just to run firefox 3 is a pretty tall order. IIRC, when I tried, I had to start at glibc and work my way up - I never did get it to work properly.

Re:People on older distros

[Cow+Jones]

(posting to undo an accidental moderation. I meant to moderate your post informative, not overrated)

I've got the very same problem here. I'm using Ubuntu Dapper (6.06), which is a long-term service release (LTS). It's supposed to be supported by the Ubuntu team for 5 years; guess they'll have to create their own security patches for FF2 from now on.

As a web developer (among other things) I'm all for getting people to use newer browsers, but FF2 doesn't feel old enough to be abandoned yet. Like a lot of other people, I can't upgrade. I'm stuck with an older GTK version on Dapper, and neither FF3 nor Prism will run here; I'm using XP on VirtualBox to do testing with FF3. Compiling FF from source (and collecting the required libraries/versions) is not trivial, and I'm not going to waste time on getting this to work with every new update.

All in all, I think Mozilla called the end-of-life for FF2 *far* too soon. We're going to see a backlash for this decision soon.

Re:People on older distros

Why not just download the firefox binary, and unzip it to your home directory? Then you can just run it from there.

Uh, you mean the binaries that he said in his second sentence aren't provided?

Yeah, I'll get right on that.

Re:People on older distros

[BZ]

Distros were planning to ship Firefox 3 on their supported long-life products (e.g. RedHat on RHEL). They'll probably have to statically link with a newer GTK2 and so forth, but they're doing it.

If your complaint is that you're using a distro that doesn't do long-term support in a situation where you need long-term support.... then I'm not quite sure what to tell you.

Re:People on older distros

[BZ]

For what it's worth, some distros are in fact still maintaining Firefox 1.5 (and even 1.0). So yes, they could maintain Firefox 2.

They could also just ship Firefox 3 (statically linked against a newer GTK2 if needed), of course.

Re:People on older distros

[FlyingGuy]

Not trolling, bad proof reading...

Arrrggg I have been chastised.

Re:People on older distros

[FlyingGuy]

Yeah I read through that. Seems like a pretty hideous kludge, but I am going to try it when I next have time..

Re:People on older distros

this sounds remarkably like headaches that windows 98/Me gave people.

perhaps if linux itself had standardized an app packaging/versioning system and forced it downstream, you would have to rely on distros to eternally update obselete codebases, nor expect developers to package an app for 76,518 different variations of the same thing.

seriously, ever see how many different linux builds of the same version of opera there are?

Re:People on older distros

[ion.simon.c]

Yeah I read through that. Seems like a pretty hideous kludge, but I am going to try it when I next have time..

How is this a kludge? It's what you'd be doing if you were running LFS. It's what every Gentoo's package manager does all the time. :)

Anyway, best of luck, and happy browsing!

Re:People on older distros

[Grapes4Buddha]

I would feel a lot better about this if Mozilla would release as set of statically-linked firefox binaries. I'm also stuck in the RHEL4 boat for the foreseeable future so no FF3.0 for me.

Re:People on older distros

[greed]

Oh you can make it work on RHEL 4. It's a Royal Pain In The Arse, but it can be done. (I already had Pango and Cairo around for a (failed) experiment in our software, so I was most of the way there.)

All you need is up-to-date builds of gtk+, cairo, pango, tiff, fontconfig, expat, freetype, libpng, jpeg, atk, glib, gettext, libiconv, and zlib. (OK, you can probably use the last 3, and libpng, jpeg, and tiff as provided by RHEL.) But not in /usr/lib and /usr/include; put them Somewhere Else.

Once you've got the dependency graph worked out, and a wrapper for ./configure to set all the LDFLAGS, CPPFLAGS and so on, it's easy!

The deal-breaker for me is, (a) the fonts are horrible on Linux and (b) it trashed my configuration badly enough I had to pull it back from nightly backup. So I won't even run it on my Mac, either, because I want to be able to move config data around.

But I don't care about anti-phishing in the browser. I've got it in my brane.

Re:People on older distros

[Grapes4Buddha]

All you need is up-to-date builds of gtk+, cairo, pango, tiff, fontconfig, expat, freetype, libpng, jpeg, atk, glib, gettext, libiconv, and zlib. (OK, you can probably use the last 3, and libpng, jpeg, and tiff as provided by RHEL.) But not in /usr/lib and /usr/include; put them Somewhere Else.

Once you've got the dependency graph worked out, and a wrapper for ./configure to set all the LDFLAGS, CPPFLAGS and so on, it's easy!

Sure, maybe I'll switch over to Gentoo while I'm at it. It's easy!

Bleah. I'll stick with the packages that are available for my distro unless I specifically need something else for my job.

"Spent 20 hours getting Firefox to work on EL4" is not going to fly on my weekly status report.

Re:People on older distros

[HTH+NE1]

There's only one Linux box in my workplace that has GTK+ 2.10, and I run Firefox 3 on it displaying to my local machine. Still, /usr/lib/libgconf2-4/gconfd-2 does not exist, I can't configure a printer (can only print to file), and for some reason I kept getting errors on the console for not having Thai support (none yet today though).

The Ubuntu machines here only have GTK+ 2.8, and the Redhat 9 machines (my desktop) don't have libpangocairo.

Re:People on older distros

[petermgreen]

It's supposed to be supported by the Ubuntu team for 5 years
5 on the server, only 3 on the desktop and I bet they count firefox as a desktop app.

Re:People on older distros

[kelnos]

Firefox 3 requires gtk 2.10.0, which was released in July of 2006. If you're running an OS that is incapable of keeping you up-to-date enough to run software that's 2.5 years old, then you picked your OS poorly. Plain and simple.

Mozilla could have bundled gtk 2.10 with Firefox 3, like they do for many other libraries they depend on, but they chose not to, probably for good reasons.

Besides, after 25 seconds with Google, I found this, which, while not particularly fun, is entirely doable for someone who has the balls to try to update their system bypassing their OS's package management.

So maybe the original poster isn't troll, but (s)he's certainly foolish.

Re:People on older distros

[kelnos]

Yeah, sorry -- that was a bit unfair of me. If you're still trying to figure out a way to use FF3 on SLED 10, check this out. It's a little bit of a pain, but if you're comfortable enough with the command line to attempt to upgrade your system gtk, I think you'll be ok with this, too.

Older machines

[RudeIota]

Just to be fair, there ARE some people who can't upgrade to FF3. I'm thinking of Mac OS users. FF3 only works with 10.4 or higher. So many of those with G4 Macs are left in the dust.

I'm unsure of Windows compatibility, but Windows XP *is* over 7 years old, so users of older PCs are probably in good shape, at least.

Re:Older machines

[Chaos+Incarnate]

G4s can run 10.4 just fine; it even supports G3s still. Older G4s won't run 10.5, true, but it's hardly "being left in the dust" when their machines are three or more years old.

I hate doing this

[Mozk]

but that's not the plural of virus.

I was thinking of converting back from 3.0

[Uzik2]

the anti click jacking code and the really miserable handling of self signed certificates is starting to really annoy me.

Re:I was thinking of converting back from 3.0

[jesser]

There is no anti-clickjacking code in Firefox 3.0. What are you talking about?

(Self-signed certs, on the other hand... I think Firefox 3's handling is a huge improvement, but I understand why some people disagree.)

Re:I was thinking of converting back from 3.0

[Uzik2]

I get warnings from firefox that clicking on links on some pages with ajax/images are possible click jacking etc. When looking at a photographer's gallery I'm not terribly concerned. If I were at my bank site I might be. Further I have javascript turned off so it's not possible to click jack me. I'm going to check and see if this is a 'feature' of the noscript plugin instead of firefox...

The new handling of certs is worse than misguided in my opinion. Encryption DOES NOT EQUAL identification.

Re:I was thinking of converting back from 3.0

[jesser]

NoScript does have an anti-clickjacking feature, so I bet that's what you're seeing.

You're absolutely correct that encryption does not equal identification. I'm surprised you bring that up, since that's at the core of most arguments for Firefox's new certificate handling. I guess people who believe "https:" means "please give me encryption" prefer the lightest warnings for self-signed certs, while people who believe "https:" means "please give me encryption and authentication" expect at least DV certs. I'm in the latter camp, since I believe encryption without authentication isn't very helpful in a world full of MITM attackers.

Re:I was thinking of converting back from 3.0

[Uzik2]

I believe you probably want to say 'redirection' instead of MITM attacks? I don't believe I've ever heard of a real case of one. There are plenty of redirection attacks from DNS flaws, phishing, social engineering, etc. but real MITM? Doesn't tcp MITM require you be on the same subnet somewhere along the path? It seems like it would be easier to hack into the routers and just scoop out what you're looking for. Or lots easier yet to just steal people's session cookies and masquerade as them.

Unfortunately the browser does not separate encryption and identification.

The only thing I believe certificates are useful for is establishing a reasonably trustworthy short term communications channel between myself and whomever I PERSONALLY got the certificate from (who may or may not be who they claim to be). Anything further implies unearned trust and perfectly secure systems.

I've read about several less than scrupulous cert authorities.

Even given trustworthy companies I've gotten a cert for an employer's web site and there was nothing in that process I couldn't fake easily. It's "security theatre" as one security guru puts it.

A business is not an entity I'd invest a lot of trust in anyway, even if correctly identified. It can be hacked, dumpster dove(dived?), tricked, sabotaged, incompetent, more concerned with the bottom line than morality, etc.

Re:I was thinking of converting back from 3.0

[jesser]

Does it count as MITM if the DNS hijacker does connect to the real site behind the scenes? If a shady wireless network operator connects to the real site behind the scenes?

Interesting argument about preferring to trust individuals rather than companies. I think most people have reason to encrypt communications with companies (e.g. online purchases) more often than they have reason to encrypt communications with other individuals, but I understand your position.

It's a lot easier for me to say "I own www.squarefree.com and my web site uses a DV cert" than it is for me to give you my server's certificate. The CAs trusted by Firefox are required to at least check for ownership of the domain. If you're paranoid enough to prefer to verify your friend's cert yourself, you're already putting a lot of effort into checking the cert, and Firefox's extra clicks (in the case that the cert you're verifying isn't also a DV cert trusted by Firefox) shouldn't be making your life much harder.

Re:I was thinking of converting back from 3.0

[Uzik2]

In a roundabout sort of way it is a MITM attack, but not what would usually think of as one.
They didn't really insert themselves into a legitimate tcp connection. They redirected you to their server
and provided you with a convincing fake by copying responses from the target.

> The CAs trusted by Firefox are required to at least check for ownership of the domain

Yes, but their methods are flawed. This does nothing to prevent employees of that company from losing my information, stealing my information, allowing the site to be hacked and the server cert to be stolen, etc.

I'd prefer not to legitimize ANY web connection by certificates. This implies to the naive public that these people are trustworthy or untrustworthy because they've paid a fee to a CA. The internet is an inherently unsafe place and people should be reminded of it regularly.
.

From my cold, dead hands...

result in an increased adoption of Firefox 3.0...

Nope, not me... tried FF3, couldn't get past the ugliness/dysfunctionality of the 'awesomebar'. It was, and always will be, a dealbreaker for me. (I know it supposedly gets more helpful the more you use it, but I just can't swallow being 'forced' into adopting it.)

Re:From my cold, dead hands...

[Bradkey]

The awesomebar can be disabled. How do disable awesome bar

Re:From my cold, dead hands...

[Shikaku]

https://addons.mozilla.org/en-US/firefox/addon/7637

Old location bar works with the algorithm and appearance.

http://www.fileden.com/files/2007/5/14/1079307/old_location_bar-1.3-fx.xpi

If you don't want to register to install it.

Generally speaking..

[Junta]

It's pervasive in software, the developers decide changing behavior without preserving the old should be fine, as their opinion is that the new behavior must be better.

Take, for an additional example, the 'keyhole'. They decided the same context menu should open up regardless of the forward or back button being clicked on. In fact, it is just one control instead of separate. It would be great if they had added this variant and let the user choose between the unified keyhole or the classic distinct buttons, but they forced the choice upon upgraders.

How to get me to switch to Firefox 3 from 2.

[a+whoabot]

When I go "Check for updates" I get the dialog box that informs me: "This update will cause some of your extensions and/or themes to stop working until they are updated." Clicking on "show list" shows me that Compact Menu and Whitehart will be disabled with FF3. If that extension and that theme get updated, then I'll switch to FF3. Until then, I'll "suffer" with my working browser, anti-phishing or not.

Re:How to get me to switch to Firefox 3 from 2.

[Auz]

Possibly that message is hedging its bets, but both of those appear to have FF3 versions on the add-ons site.

Re:How to get me to switch to Firefox 3 from 2.

[arrenlex]

https://addons.mozilla.org/en-US/firefox/addon/364
https://addons.mozilla.org/en-US/firefox/addon/4550

Re:How to get me to switch to Firefox 3 from 2.

[dasuser]

Whitehart has been updated, not sure about Compact Menu, though, as I don't use that.

Re:How to get me to switch to Firefox 3 from 2.

[PitaBred]

Ever tried, I dunno, Google?

Whitehart in all of it's ugliness is FF3 compatible, and as for Compact Menu, how about a replacement? That took me all of 3 minutes of searching, but I can see how it might be hard for someone. If they can't use Google, I guess.

Re:How to get me to switch to Firefox 3 from 2.

Compact Menu will never be updated because the developer is now focused on Compact Menu 2, which works perfectly in FF3. (https://addons.mozilla.org/en-US/firefox/addon/4550)

Whitehart 3.4 theme works perfectly in FF3. (https://addons.mozilla.org/en-US/firefox/addon/364)

Looks like it's time to switch.

Re:Just a ploy

[Frosty+Piss]

Yep, it's all just a ploy to get us all to update to Firefox 3.0

I don't know why the parent is modded "flamebait", it's pretty obvious this is what Mozilla (Google) is doing.

It Makes Sense

[CritterNYC]

Firefox 2 uses an older version of the anti-phishing that will no longer be supported by Google (the provider of the database). So, whether Mozilla removes it or not, v1 is giong away.

2.0.0.19 is the final release of Firefox 2. As soon as it is released, Firefox 2 has reached its end of life and will no longer be updated or supported (no new features, no bug fixes, no security updates). So, it doesn't make much sense to worry about the anti-phishing feature being updated when the browser itself can no longer be assured of being secure due to possible bugs, etc.

"Privacy" knobs in FF3?

[TCM]

Is there any list of knobs I have to tweak to get a stock FF3 install to behave normally, i.e. no transmission of entered URLs/searches to third parties, no "auto-complete" with www. and .com/.net and any of that bullshit that has become accepted nowadays?

Yes, that's a rhetoric rant, but if anyone knows, please reply anyway.

Re:"Privacy" knobs in FF3?

[FunkyRider]

The answer is too simple, the browser if for the majority of internet users, not for you.
Maybe you should get a super doper geeky browser where you can parse the HTML yourself? Technology is made to serve people, not the other way around.
Or you may never understand how Apple succeeded? you think command console should rule the world? unfortunately you are wrong.

Re:"Privacy" knobs in FF3?

[BZ]

> no transmission of entered URLs/searches to third parties

For URLs this is the case by default. For searches, set browser.search.suggest.enabled to false (though effectively the default setting sends your partial search to the same search engine your final search will go to, iirc; whether you want that is up to you).

> no "auto-complete" with www. and .com/.net

I assume you still want your "http://" tossed in front? If so, set browser.fixup.alternate.enabled to false. You probably also want keyword.enabled set to false too. If you want to always type your protocol by hand, that will take more work; there's no pref for that. You can do it with an extension that replaces the URI fixup service, of course.

> and any of that bullshit that has become accepted nowadays?

If that's a non-rhetorical question, then it's hard to answer without more details.

Re:"Privacy" knobs in FF3?

[gzipped_tar]

Never accept cookies from 3rd party websites.

Install NoScript. Remove googlesyndicatin, google-analytics and similar crap from its default whitelist (or just remove EVERYTHING from that crappy whitelist and explicitly whitelist sites when necessary). Disable all the dingy plugins/web elements, even for "trusted" sites (this is very important).

Remove the ~/.macromedia directory and symlink it to /dev/null (as suggested by a Slashdotter). You may also need to do the same thing for some subdirectories in ~/.adobe (I can't tell, because I also nuked the ~/.adobe one).

Install CustomizeGoogle. Use it to disable Google click tracking. If you want further anonymity, there's a option to use anonymous Google UID.

Hope that helps.

Re:"Privacy" knobs in FF3?

[TCM]

Shooting a bit over the target, are we?

And yes, console should rule the world. Just what has it got to do with the topic?

Why I use 2.x

I visit self-signed SSL sites. For privacy I don't want the certificate stored locally.

FF3 doesn't like that.

Software as service

[radarsat1]

Security issues aside, this is a great example of why we should be wary of software as a service, depending on some company to always have their servers up, their software ready and your documents available to you.

You never know when they'll decide it's no longer a money-maker and pull the plug on something you've come to depend on.

I think local apps will still always have a huge role to play in computing for the long haul.

Re:Software as service

[jesser]

Firefox 2 is software. The phishing blacklist is a service. Only the latter is being disabled, and there is no way to have an equivalent feature without a service.

conflict of interest?

[jaiteace]

Google administering phishing is like the fox fixing the leak in the hen house roof

What about NetBooks?

[mapnjd]

With the rise in popularity of Linux-based netbooks (many of which come with FF2.0) how can 2.0 be EOLd?

I know no-one wants to support old crufty software (especially for free...) but, there are many of real users out there who will have to stay with 2.0.

Its useless

[Frozen+Void]

I never used this feature.
Phishing detection implies you are dumb enough not to discern which host you load content from.Its like confusing google.com with go0gle.com.
I'll probably download 2.0.0.19.
"This move ought to result in an increased adoption of Firefox 3.0 "- misguided and naive.I will think of it when they fix Firefox3 for real.

1...2...3...

Fail!

2.0 Does Not Offer A Upgrade Path

[ashpool7]

This is going to get buried and I'm not sure what to search on to see if it's already been said, but....

The "problem" is that 2.0 is still out there, right? Well the *reason* is because when you hit Check For Updates on 2.0:

"No Updates Found. There are no new updates available. Firefox may check periodically for new updates"

Is 3.0 not an update? If it doesn't want to auto-update to 3.0, shouldn't it at least say "3.0 is available" or "3.0 is available, but you can not be automatically updated from your version. Click here to download 3.0"

Seems like they should push out that update instead of phishing removal...

Windows 98

[Nom+du+Keyboard]

Does FF3 run on Win98SE? It's hard to find a direct statement of its requirements.

Re:Windows 98

[Ilgaz]

It doesn't. As well as it requires OS X 10.4 (can be compared to XP) on OS X.

On the other hand, Opera current version which is happily ignored, flamed, trolled by some people here supports everything down to Windows 98 and OS X 10.2. It is not just a browser, it is an entire suite which can be easily called "Internet Operating System" or something.

It could be power of Trolltech Qt and massively portable code by Opera and also the way they do business.

Normally you would expect such "upgrade or be abandoned!" things from those evil closed source companies right?

Google isn't the only thing for anti phishing

[Ilgaz]

It is amazing that people started to think "It is Google or nobody else".

Here, OpenDNS operated, community powered and completely open/free: http://phishtanksitechecker.com/ http://www.phishtank.com/ (supports down to FF 1! and Seamonkey)

In fact, one can even plug phishtank to a terminal browser, the entire API is open.

Also the famous FreeBSD portal :) Netcraft's professional alternative (compared to pure community) http://toolbar.netcraft.com/ Netcraft toolbar.

On Windows, there are way more advanced, payware solutions available which will even do heuristical analysis rather than a simple database comparison. They don't even care which browser or thing you clicked the link on.

only got false positives anyway

[nazsco]

for the 10min I left the filter on, all I got was false positives.

good riddance.

The same with the SSL fiasco recently. I bet my right arm that key people there are getting paid off the record for those changes.

Why would a open source app make it such a hassle to accept self signed certs?

Firefox on Windows 98

[solprovider]

People do not change until a reason exists.

I support five PCs with 512MB RAM and ~2Ghz CPU built 1999-2002 running Windows 98SE. These PCs will be used until the hardware fails. Windows XP is very slow on this hardware and still has critical security holes seven years after release. The users have not been happy with my attempts to convert them to Linux. The users are happy with the current (old) software so the lack of upgrades is not a problem.

The default Internet Explorer 6 was designed to ease virus distribution; alternate browsers such as Firefox 2 are critical to keeping these PCs secure. Firefox 3 refuses to install on Windows 98, probably more to reduce support than any technical requirement. Vendors encouraging upgrades by disabling features or refusing to install just causes these users to stop updating software. These users already abjure iTunes, Vonage, and ZoneAlarm.

Firefox 3 with the DPI set to 144 is a nightmare

[mlippert]

I've set my stepfather's Windows 2000 computer to a DPI setting of 144. Firefox 2 worked great with that setting.

Firefox 3 gets nutso!

There are a lot of people out there whose vision is not great who use a DPI setting of 144 to get bigger text. It is really weird that Firefox 3 mananged to break this.

Mac Os X 10.3.9, Actually

[SpammersAreScum]

You need 10.4 to run Firefox 3. And 10.3.9 isn't that old...

There could still be security updates

[JSBiff]

Just because the Mozilla foundation will no longer be providing any updates doesn't mean there isn't the possibility of updates. Remember, FF is open source. If a security exploit is found, someone else could, at least, theoretically, provide a patch.

Funny thing, though, about old software. . . as it gets less popular (because people gradually upgrade), it simultaneously becomes a less interesting attack vector. There's maybe still enough FF2 users that it might be a worthwhile target, but as time goes on, and the installed user base shrinks, I think it becomes less likely that anyone bothers to try to find attacks for it.