Firefox 34 Arrives With Video Chat, Yahoo Search As Default

An anonymous reader writes: Mozilla today launched Firefox 34 for Windows, Mac, Linux, and Android. Major additions to the browser include a built-in video chat feature, a revamped search bar, and tab mirroring from Android to Chromecast. This release also makes Yahoo Search the default in North America, in place of Google. Full changelogs: desktop and Android."

Yahoo Search?

[Threni]

Everyone wants that! Good shout!

Re:Yahoo Search?

[0123456]

Don't they mean Bing? I thought Yahoo farmed search out to Microsoft years ago.

Re:Yahoo Search?

Speaking of what everyone wants, hoo-ray for the built-in video chat! They finally relented, after years of users clamoring for this necessary feature, to bundle it into their flagship product *even though* it meant they would have to postpone fixing some of the regressions that have come up recently.

Thanks Firefox. Thirefox.

A lot.

Re:Yahoo Search?

Really? I didn't know that!

Let me Bing that on my Microsoft Surface using Internet Explorer for more information!

Seriously, though, microsoft will throw money at anything to get some recognition. Not that it every works. How's that Zune working out out for you? Squirt many songs to your friends lately? Is it any better than that Plays For Sure device that Microsoft Threw Under the Bus when they decided they wanted to be Apple?

Re:Yahoo Search?

[rudy_wayne]

I was really hoping that when Mozilla's contract with Google ran out the whole bloated business would collapse and they would go back to just making a browser that people actually want to use. But a new money truck just arrived in town and they can continue to add more and more useless 'features' while destroying all the things that made Firefox popular in the first place.

Re:Yahoo Search?

[bhcompy]

Say what you will about MS throwing money down the tube, but the Zune was a damn good and underappreciated device, and Zune Pass was the best value after Yahoo Music Unlimited folded

Re:Yahoo Search?

[binarylarry]

also the Zunesaber > Jedi lightsaber

Fuckin FCC and Tipper Gore

Re:Yahoo Search?

Let me Bing that on my Microsoft Surface using Internet Explorer for more information!

Surface RT, correct?

Re:Yahoo Search?

Never trust a capitalist. Their first priority is to make money, and only if you're very lucky will this also mean they act in your best interests.

(And there ain't no such thing as luck.)

Re:Yahoo Search?

[lister+king+of+smeg]

Speaking of what everyone wants, hoo-ray for the built-in video chat! They finally relented, after years of users clamoring for this necessary feature, to bundle it into their flagship product *even though* it meant they would have to postpone fixing some of the regressions that have come up recently.

Thanks Firefox. Thirefox.

A lot.

This (web video chat) is something that really should have been put in Thunderbird not Firefox, but unfortunately the powers that be at Mozilla seems to have decided that it should join SeaMonkey in being their neglected redhead step child, while they continue to throw shit into Firefox (which was meant to be the striped down powerful simple browser), or try to compete outside of their core competency focusing on projects like FirefoxOS, or Mozilla Marketplace, all the while trying to ape chromes interface.

Re:Yahoo Search?

I'm sure all three Firefox users are thrilled.

Re:Yahoo Search?

Yep, I am fucking thrilled. I am used to avoid FireFox like the walking dead, and now, a couple more reasons.

Re:Yahoo Search?

The Firefox welcome page says
"We've partnered with Yahoo to bring you better search results".

It means that:
- internal testing showed that Yahoo results were better,
- the Firefox team cares more about the quality of search results than the bid money.

Re:Yahoo Search?

Say what you will about MS throwing money down the tube, but the Zune was a damn good and underappreciated device, and Zune Pass was the best value after Yahoo Music Unlimited folded

I still use my zune platinum when I fly. I suppose I could use my phone, or the phone before that (or before that) but the zune is really, really, really nice in that role. And I still get 6-10 hours on it depending if I use video or not.

Re: Yahoo Search?

Your fanboyism is showing.

- sent from my Kin

Re: Yahoo Search?

I hated firefox's interface change so much that I switched to Chrome! My name is Bingo! I like to climb on things!

Re:Yahoo Search?

[master_kaos]

Yes if Yahoo results were so much better, everyone would be using them/bing.
They forgot the most import bullet point though
- Yahoo paid us the most

Re:Yahoo Search?

[Zontar+The+Mindless]

My big peeve (other than unannounced un-revertable UI changes) is... uh, wait.

My big peeve (other than unannounced un-revertable UI changes and breaking extensions with every release)... oops, let me start again

My big peeve (other than unannounced un-revertable UI changes, breaking extensions with every release, and mothballing Sunbird) is...

Aw, crap. Now I forget. :)

Re:Yahoo Search?

[Zontar+The+Mindless]

The Firefox welcome page says
"We've partnered with Yahoo to bring you better search results".

It means that:
- internal testing showed that Yahoo results were better,
- the Firefox team cares more about the quality of search results than the bid money.

Please mod parent Funny.

Just what I wanted for xmas time, more bloat.

Just what I wanted for xmas time, more bloat.
 

Re:Just what I wanted for xmas time, more bloat.

[UPi]

This is the way the world is going right now. HTML5 and JavaScript have become the new, universal runtime that everyone is trying to use to build their applications. It is extremely compelling too: you don't need to worry about deployment, supporting older versions, operating systems, etc. This, however, requires browsers to do a lot more than they did before. Sound and video input is just the tip of it. There's also the canvas, WebGL, WebSocket, tons of new CSS features.

Firefox can either choose to keep up with new features or lose 90% of its share to Chrome. I'm actually happy they going forward because part of HTML5's appeal is that it is multi-vendor and is not solely controlled by a corporation like Google or Apple. Yes, it is "bloat", as in, lots of new features that you personally might not be using today. But someday you, or your friend will come across a site that uses one of these new features and if the site says "Sorry, you are using a backwards browser, please try Chrome instead", we both know what will happen. (You of course will scoff and close the site, but 10 other people will switch for every lean browser snob out there.)

Point is, browsers are evolving. Deal with it.

Re:Just what I wanted for xmas time, more bloat.

[MobyDisk]

you don't need to worry about deployment, supporting older versions, operating systems, etc.

Bullhonkey! :-)

This saying is along the lines of famous phrases like "write once run everywhere" that are oversimplifications. You kinda point out the limitations of your own statement when you point out things that vary across browsers. Things like deployment becomes about deploying to servers and server farms and upgrading databases, which isn't trivial. Learning IIS, Apache, Tomcat, Postgres, etc. are serious skills. As for old versions: try upgrading a database when users may be on the system during the deployment. And think about old versions of browers, phones, etc: OS matters on both the client and server side.

Re:Just what I wanted for xmas time, more bloat.

[UPi]

You are making entirely valid, but irrelevant points. I've done all the things you mention. I didn't go into it because it is mostly irrelevant to the discussion at hand. I guess the only thing I disagree on is the "over" part of "oversimplification".

Oh. And thank you for not mentioning legacy Internet Explorers, I do appreciate that. :)

Re:Just what I wanted for xmas time, more bloat.

Firefox can either choose to keep up with new features or lose 90% of its share to Chrome.

Pretty sure this is gonna happen anyway over the Yahoo choice.

New: Improved search bar (en-US only).

Is this the first US-only feature in Firefox?

Re:New: Improved search bar (en-US only).

Expect more geographic division in the future. First it's the search engine integration, then god knows what.

Considering how many forks of Firefox there are in the Linux world, I'm eager to see how long until the forks start snowbolling in the Win/Mac world too.

video chat

[vux984]

video chat ? Where I send someone a web link? That's goofy.

And it doesn't work with Safari or Internet Explorer ... so most people won't even be able to click on the link, and it doensn't work with iOS devices... because no firefox and doesn't work with safari... so... useless? Why is this a core feature?

This should be an addon... that almost nobody uses instead of a feature that almost nobody uses.

At least as an addon, any security issues inherent to a feature that lets the browser turn on your camera and microphone aren't part of the browser.

I love firefox.. I really do, and the alternatives are all far more awful, so I don't see myself switching, but I just don't see the point of this at all.

Re:video chat

[NotInHere]

I agree. As much as I'm a fan of WebRTC and despise the walled gardens of facebook, whatsapp, google hangouts and friends, I don't think firefox should add this to their browser. Rather they should publish their own chat program, either as separate addon or as separate program. As a browser, firefox should be a platform that enables higher-level programs to bring services to its users.

Re:video chat

[pavon]

This is based on WebRTC which is a W3C draft that both Safari and Internet Explorer have committed to implement. There has to be a first browser to implement any proposed standard.

Re:video chat

[sexconker]

This is based on WebRTC which is a W3C draft that both Safari and Internet Explorer have committed to implement. There has to be a first browser to implement any proposed standard.

Not all proposed standards should be implemented.
This one shouldn't, nor should the DRM one, etc.

Re:video chat

[unrtst]

What I don't get are these two comments directly from the first article linked:

1. "Not only do you not have to sign up for a service, but you also don’t need the same software or hardware as the person you want to call, since WebRTC is compatible with Chrome and Opera browsers as well."

2. "... by sharing the generated callback link. To call you, they’ll naturally need Firefox 34."

So which is it? Something's wrong there.

As others have said, this should be an add-on. That said, I doubt it introduces much of any bloat when you're not using it (at least I really really hope it doesn't do anything at all unless you use it).

Re:video chat

[mod+prime]

It's both.

You can call anybody on the compatible browsers, but they can't call you unless they have Firefox 34.

Re:video chat

video chat ? Where I send someone a web link? That's goofy.

And it doesn't work with Safari or Internet Explorer ... so most people won't even be able to click on the link, and it doensn't work with iOS devices... because no firefox and doesn't work with safari... so... useless? Why is this a core feature?

This should be an addon... that almost nobody uses instead of a feature that almost nobody uses.

At least as an addon, any security issues inherent to a feature that lets the browser turn on your camera and microphone aren't part of the browser.

I love firefox.. I really do, and the alternatives are all far more awful, so I don't see myself switching, but I just don't see the point of this at all.

I agree. Try firertc.com, it is an add-on WebRTC client for Firefox.

Re:video chat

[Khyber]

WebRTC is shit.

They'd have done better just buying Camfrog's code and using it, instead.

Re:video chat

It may be bloat, but WebRTC with http://meet.jit.si/ is nothing less than the future of communication.

Re:video chat

It is indeed WebRTC via TokBox [tokbox.com]. TokBox provides a nice wrapper over the core technology and some signaling services (the signaling portion of the connection is intentionally left out of the WebRTC spec).

Firefox is NOT the first browser to support WebRTC. Chrome has supported it for some time first in Beta now in release, same with Firefox. This is just a slick way to generate a link that can be sent to another Firefox or Chrome user to instantly start a video chat.

http://www.webrtc.org

Re:video chat

[CritterNYC]

Firefox has no such issues these days. And Firefox has an open source PDF viewer, unlike Chrome.

Re:video chat

video chat ? Where I send someone a web link? That's goofy.

Or set up a contact list on Firefox Hello so you don't have to send a web link. The web link is a way of doing it without setting up an account and contact list.

And it doesn't work with Safari or Internet Explorer ... so most people won't even be able to click on the link, and it doensn't work with iOS devices... because no firefox and doesn't work with safari... so... useless? Why is this a core feature?

It will work when they support WebRTC.

Re:video chat

[BlackPignouf]

+1

Re:video chat

Chrome's PDF viewer (PDFium) has been open source since June.

Re:video chat

What point would there be to that? No one would install it. The bulk of people are loathe to install even one, let alone one for every friend they have who uses a different one. For all the hatred of "bloating up" the web, this really does have practical benefits: the same kind that having a simple-to-use-and-access remote desktop app bundled with the OS has.

Re:video chat

[CritterNYC]

Ah, did not know that. There's still quite a bit of closed source bits in Chrome (unlike Firefox which is all open source code), but it looks like the PDF viewer is no longer one of them.

Video chat??

I'm sorry i thought firefox was a browser not a fucking chat program.

Please mozilla, make two versions: One for your every day person who wants their browser to do everything and another for those of us us who simply want a browser with toggleable javascript, addons, html5 and THAT'S IT!

I swear the addons i use are the only thing keeping me with firefox.

Re:Video chat??

[reub2000]

Firefox was supposed to be just a browser. Has Mozilla forgotten why Firefox was created in the first place?

Re:Video chat??

Right, Firefox (previously Firebird (previously Phoenix)) was a spin-off from the Mozilla suite which contained, among other things, a chat platform and other sundry cruft. The Phoenix (then Firebird (then Firefox)) people got fed up with the bloat and decided to make a fast and lean browser.

Come full circle, Firefox has. Now it's about time to fork a decent, lean browser off of Firefox...

capcha: mosaics -- maybe that's a sign of where the future lies

Re:Video chat??

What Firefox needs is an email client!

Re:Video chat??

[AuMatar]

That's never what Firefox was about. It was a big rewrite because a bunch of Mozilla devs decided they wanted everything written their way and if it wasn't they'd rather restart from scratch. Even initial versions were actually more heavyweight and leaked more memory than mozilla suite. It should never have existed in the first place, they should have just moved the browser in Suite to a standalone download for those who wanted just that functionality.

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey. Its still more performant than firefox and doesn't suffer from the feature creep or the "what features of chrome UI do we want to rip off this build" issues that FF does. Its a better product by a longshot.

Re:Video chat??

[OhPlz]

Now it's about time to fork a decent, lean browser off of Firefox...

Already there: Pure Moon, among others.

Re:Video chat??

Pale Moon.. damn it.

Re:Video chat??

All the developers I know have switched to Chrome. I still use Firefox since Chrome caches everything getting me in trouble. Yes, I know about the extensions for that. But the point here is the development tools make Chrome attractive. More than just browser I would say.

Re:Video chat??

[CanadianMacFan]

Well, the Phoenix name could be used again and be symbolic as well.

Re:Video chat??

[unixisc]

Why, what's wrong w/ Thunderbird? If you want an equivalent of Netscape Communicator 4 (remember that?), then SeaMonkey is the right choice

Re:Video chat??

Yes. It's time to dump the mail client and HTML editor out of Firefox.

Re:Video chat??

[lister+king+of+smeg]

What Firefox needs is an email client!

Why, what's wrong w/ Thunderbird? If you want an equivalent of Netscape Communicator 4 (remember that?), then SeaMonkey is the right choice

woosh.

Re:Video chat??

[savuporo]

And "web" should have stopped at HTML 4.01 ? What an odd number to pick.

People don't realize that this battle will not ever end. What exactly is "just a browser" supposed to do these days ? Javascript, flash, webgl, java applets ? WebSockets ? Maybe rewind the clock and go back to nonstandard video as well .. RealVideo .

So now firefox went and officially made WebRTC an actual visible thing, it is immediately bloat. How are the other half assed standard(ish) web tech crammed in over the years not bloat ?

This is a continuous evolution of web as a platform. You either try and stay at the forefront and be part of shaping the platform, or stay in the stone age - i bet IE can still run VBScript with some defaults. Maybe they still have Gopher client built in too.

Re:Video chat??

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey.

Interesting fact: Seamonkey is not in any of the standard Ubuntu repositories.

Re:Video chat??

[gl4ss]

I'm sorry to inform but they forgot about that about the time they started switching around the names.

which was around the same time it got more popular than the old version.

Re:Video chat??

[TheRaven64]

Even initial versions were actually more heavyweight and leaked more memory than mozilla suite

That's not quite what I remember. Phoenix (then Firebird, then Firefox) and Thunderbird (or whatever it was called back then) between them used more memory than the Mozilla suite, but Firefox was lighter than using the Mozilla suite and just the browser. The big appeal of separating the two was that the browser was a buggy piece of crap and every time it crashed it took out everything else sharing the XUL runtime, including the mail client (which then had to spend time recovering corrupted databases on next launch). With Firefox, only the browser crashed and restarted quite quickly. Given that the browser crashed at least once an hour back then, it was a bit advantage. No one cared about memory leaks, because the browser didn't stay up long enough for them to become apparent. It was only after they fixed the stability issues that people started noticing.

Re:Video chat??

36 megabytes of bloat (OSX Yosemite update).Too much is too much.

Re:Video chat??

[synapse7]

Just need built in bit torrent and I can stop missing the old Opera.

Re:Video chat??

Download the tarball of the binary and untar it in your ~/bin.

Oh, wait--you're an Ubuntu user. Nevermind...

Re:Video chat??

[AuMatar]

I don't know what setup you used, but the only thing that regularly crashed mine, even back in the day, was eventual slowness and crashes due to memory. It was normal for it to run nonstop for several days. Really the whole Firefox split out was a big "but their code sucks because it isn't how I'd do it", resulting in a worse product. A case study in why you don't throw out working systems really.

Re:Video chat??

[cwsumner]

What Firefox needs is an email client!

Why, what's wrong w/ Thunderbird? If you want an equivalent of Netscape Communicator 4 (remember that?), then SeaMonkey is the right choice

woosh.

Let me rephrase that for you: What Firefox needs is a Compiler for the Clarion language and a Flowchart Editor! 8-P

Re:Recommendation for a good browser?

[wisnoskij]

Firefox lost me at least 10 versions ago, or whatever.

So sometime last week then?

Kiss my hairy Pale Moon, Mozilla!

[Tablizer]

"Pale Moon" is one possible alternative fork. Anybody want to recommend others?

Re:Kiss my hairy Pale Moon, Mozilla!

I know right. More bloat sometimes mean more features from which forks may choose..
I kind of get tried of all the bashing of Firefox.

Re:Kiss my hairy Pale Moon, Mozilla!

[hairyfeet]

Comodo IceDragon, Kmeleon, Waterfox, Seamonkey, and that is if you want to stick with the gecko engine. If you don't care which engine you use there is Chromium, SWIron, Comodo Secure Chromium and Dragon, Opera, Safari,OffByOne, Chrome, I'm sure there are others I'm missing.

That is why i just don't understand those that rage because a browser goes to poo...we have options folks! Its not like the old days where you had Internet Exploiter and Nutscrape and if you didn't fit into one of those 2 molds? Fuck off, no soup for you! Today we are just swimming in choices, we can all have a browser that works OUR way so if you don't like the trainwreck that FF is becoming? Tell them so then move to and support one of the alternatives!

Re:Kiss my hairy Pale Moon, Mozilla!

[savuporo]

If you are a developer or web content creator your options however are very limited. Technically they could do everything with lynx, however the tooling support would be pretty shitty and their customers wouldn't appreciate either.

I was just laughing my ass off the other day about Windows RT ( surface ) people not being able to use any other browser but IE , and then i realized there are some poor bastards somewhere actually trying to test their web based applications on that thing.

Re:Kiss my hairy Pale Moon, Mozilla!

[caseih]

Is Pale Moon an actual fork, or is it just a rebranding of Firefox releases with a few built-in add-ons and configuration tweaks, such as the task bar and the traditional style? Is Pale Moon under active development and diverging from Firefox? I use Pale Moon, but I've yet to see that it's actually a fork.

Re:Kiss my hairy Pale Moon, Mozilla!

[Richard_at_work]

I have to ask, why did you find solely using IE amusing? I have a Surface 2 RT, so I use IE a lot, and to be honest its no different to using Safari on IOS or whatever the default browser under the hood is on my Kindle. It works, it really just does. I don't give any thought to the fact that I'm using IE, and it doesn't cause any issues when browsing, so why so amusing?

Re:Kiss my hairy Pale Moon, Mozilla!

Pale Moon is probably the fork for the majority of people who complain about it - a regression back to the old familiar way that Firefox did things. There's another one called Light, which is the fork that people say they want - a stripped down Firefox.

Re:Kiss my hairy Pale Moon, Mozilla!

[MrL0G1C]

That is why i just don't understand those that rage because a browser goes to poo

It's because of browser customizability, I have about 30 extensions - a dozen of which I'd hate to lose and to configure a new browser with all bookmarks, extensions and settings would take many many hours to do, weeks of fixing niggly little things.

Is it so much to ask that a company with $300m revenue doesn't wreck one piece of software and fixes the bugs.

Re:Kiss my hairy Pale Moon, Mozilla!

Your choices are Gecko, Trident, or WebKit.

Re:Kiss my hairy Pale Moon, Mozilla!

[nobodie]

Because it is crap on the sites that I use to deliver content to my students. The two students that have surfaces are constantly failing to keep up because their browser can't connect to the LMS site (Canvas). Firefox (my hater buddies) is what works best for Canvas. Chrome is a close second and Safari neck and neck with chrome. IE is just a waste of time to even start up.

Sorry, but that is my daily truth, and the fact that my students have been brainwashed to use IE because they aren't sophisticated enough to know that there are other browsers is a sad commentary on the continuing effect of the MS micromonopoly. (Oh, this is in the US, but it is worse in China.)

Re:Recommendation for a good browser?

[plover]

The last version I want is V28. After that, their password sync system was changed in ways I no longer trust. NoScript, AdBlockPlus, Ghostery help keep me safe, and browsing fast; and there's no Google spyware. So it's still the best option.

Re: Recommendation for a good browser?

What convinces you that Chrome is spyware?

512-bit self-signed certs (e.g. DD-WRT)

Firefox 32 happily connects to DD-WRT's self-signed 512-bit cert.
Firefox 33 blocks DD-WRT's SSL cert, claiming "Secure Connection Failed" (Error code: sec_error_invalid_key), with no option to override.
Firefox 34 just lies and claims "The connection was interrupted". Like the fuck it was. It works *right now* in the other browser in my virtual machine, from the same PC. Even after restarting firefox, and even after restarting the machine.

Assholes got feedback that users need to access our HTTPS-encrypted DD-WRT, so they changed the message and claimed it was reset. This sounds like a case of "Let's just play the 'What problem? I don't have that problem on my machine. Oh, your connection was reset? That must be a problem with the device.' game"

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS.
So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.
You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Ash-Fox]

So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.

I found Firefox easier for the fact that it's certificate store is cross platform and made it easier to deploy a single Firefox configuration across all platforms.

Re:512-bit self-signed certs (e.g. DD-WRT)

So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.

So I can actually use shitty VPN software that nobody gets fired for buying, even though shitty operating systems won't fucking recognize the shitty certificate in their shitty default browsers.

Which leaves me with a choice of:

1. NSA Spying for Google Faggots Who Have Android Phones Shoved Sideways Up Their Asses Without Lube

2. Fat Singing Bitch That Don't Work Right

3. Fucking Sixteen Thousand Versions Per Dayfox

Sorry, but Fucking Sixteen Thousand Versions Per Dayfox is the best of the lot.

Thanks, assholes.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Pope+Hagbard]

DD-WRT needs to fix their shit and generate a better SSL certificate, or you should quit pretending that a 512-bit cert is going to stop anything besides a nosy neighbor and use a wired connection with unencrypted HTTP to manage your router. I'm running Tomato Firmware with a self-signed 1024-bit cert (which is itself weak) over TLS 1.0 and Firefox 34 works just fine.

Mozilla's doing the Right Thing by blocking such a pathetically weak certificate.

Re:512-bit self-signed certs (e.g. DD-WRT)

You should be filing a bug report instead of whining here.

Re:512-bit self-signed certs (e.g. DD-WRT)

"you should quit pretending that a 512-bit cert is going to stop anything besides a nosy neighbor"

And what if they're not pretending? And what if that is good enough?

Re:512-bit self-signed certs (e.g. DD-WRT)

[Rich0]

Mozilla's doing the Right Thing by blocking such a pathetically weak certificate.

Only if they also block non-SSL connections as well.

I'm fine with a clear indicator when an SSL site has reduced security, such as being unauthenticated or using weak encryption. I don't like that we treat such sites as being less secure than sites that don't use SSL at all, when they are in fact more secure all the same.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Pope+Hagbard]

If it bothers you that much, then figure out how to generate a decent certificate yourself and have your router use it instead.

Re:512-bit self-signed certs (e.g. DD-WRT)

[Pope+Hagbard]

This is probably aimed more at bad sysadmins, the kind who'd run an ancient version of Apache that still allows SSL 2.0 with a 40-bit cipher if they could get away with it, the idea presumably being to have their users complain and get them to fix their shit so it's actually secure and not pretend secure.

Besides, we all know those users who will simply rote-learn how to click past the annoying prompt without reading it, and there are a lot more of them than there are aspies running a crappy outdated router firmware. If it really bothers him, I'd wager there's an about:config setting somewhere.

Re:512-bit self-signed certs (e.g. DD-WRT)

AC replying to self. Firefox 34 allowed my DD-WRT cert after I went into about:config and changed security.tls.version.min to 0.

I got this from the "Firefox 34 and newer" update to Piotr Jurkiewicz's comment on Stack Overflow. He said to change security.tls.version.fallback-limit too, but that sounds like a bad thing, so I kept that at 1, and I was still able to connect to my DD-WRT.

p.s. To sibling who said "quit pretending that a 512-bit cert is going to stop anything besides a nosy neighbor and use a wired connection with unencrypted HTTP to manage your router.": I only access my router from my wired connection, but I don't trust ANY consumer-grade router to actually keep packets off the air. I have a VERY strong WPA2/AES pass phrase, but I still assume that my neighbors *might* find a way onto my network, and I don't want them to be able to intercept my router configuration password. Keeping neighbors off is the whole point. I live in a very large apartment complex in a tech-savvy city.

p.p.s. I have a Buffalo WZR-600DHP that has not released updated DD-WRT firmware images yet. Back in October I tried the 2014-10-01 firmware, but it repeatedly failed to install and I had to use the 30-30-30 reset to unbrick my router each time after the failed attempt. There are no release notes, so I don't know if it's supposed to address the certificate issue.

Re:512-bit self-signed certs (e.g. DD-WRT)

What? So it can be ignored? WONTFIX

Re:512-bit self-signed certs (e.g. DD-WRT)

[Jahta]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS. So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules. You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

IMO Firefox are doing this right. Having known good copies of the major root certs bundled with the browser is a strong defense against MITM attacks. I've worked in more than one organisation that was doing MITM on their staff's SSL sessions (unknown to the staff) by silently pushing "trusted" DIY certs to the workstations by policy. Chrome and IE swallowed this without complaint. Only Firefox complained that I didn't in fact have a secure session with, for example, google.com.

Re:512-bit self-signed certs (e.g. DD-WRT)

Surely there must be a way to have whatever http server is running on the DD-WRT router to accept a 2048/4096 signed cert? Or am I drinking the openwrt koolaid too much?

Re:512-bit self-signed certs (e.g. DD-WRT)

[cbhacking]

Um... I hate to rain on your Mozilla parade here, but Chrome has full certificate pinning for Google properties, and has had it for quite a few versions now. Using any unexpected cert, no matter how trusted, for a Google property (or the handful of others that Chrome supports) will be detected and blocked. Mozilla has certificate pinning now as well, but only since version 32 (which is what, a month ago?). If the organization in question wanted to MitM Firefox's traffic as well as Chrome's, they would (until recently) have found it much easier to do on Firefox than on Chrome.

Re:512-bit self-signed certs (e.g. DD-WRT)

[MobyDisk]

I gotta say while this is a double-edged sword, I like it. I use FF at work and when the IT department started a MITM attack and added their phony certs to everyone's machines, I was the only one to notice. Both because Firefox didn't pick-up the new certs, and because SSL observatory caught it. SSL observatory should be mandatory on every browser for this reason!

Re:512-bit self-signed certs (e.g. DD-WRT)

[kosmosik]

> IMO Firefox are doing this right. [...] I've worked in more than one organisation
> that was doing MITM on their staff's SSL sessions (unknown to the staff) by silently
> pushing "trusted" DIY certs to the workstations by policy.

1) I don't belive that the organisation was doing it secretly or they were complete legal morons. Almost any larger organization has policies which you as employee/user accept. These policies are in place to inform you of such practices so you cannot sue them back for privacy breaches.
2) If organisation has the power to install certificates on client machines it basically administeres these machines. As an administrator it is safe to assume that they also got the means to block Fx or whatever unsupported software. Also usually serious organizations maintain a policy list of allowed software.

So in fact there is nothing that Fx did right in this scenatrio.

I am personally a Chromium user and as an administrator Fx states to piss me off. We support Fx on workstations, we push new releases form ERS channel via GPO and MSI installs. This usually works but once in a while it stops working and requires manual tweaking - and it is not our fault but Mozillas pushing undocumented new options or different defaults. We do test so it is not a major problem but it is more work that it should be.

Re:512-bit self-signed certs (e.g. DD-WRT)

Firefox on Fedora based distributions share the same global CA store

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Learn to read, retard. This is Firefox's shitty design. It's working as intended. It's a feature, not a bug. Etc.

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

The separate cert store is separate from certificate pinning.
Chrome has certificate pinning, and MS supports it via EMET (and pinning rules set up through EMET will work for any program that uses the OS cert store properly).

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

even though shitty operating systems won't fucking recognize the shitty certificate in their shitty default browsers

Install the certificate and make sure it's resolvable all the way up to a trusted root CA.

Re:512-bit self-signed certs (e.g. DD-WRT)

In my case, the problem is that it's a signed firmware that mounts everything readonly. There are tricks to make it use a better certificate until the device reboots, but then you have to login and make the same changes every reboot. That's a bit too much trouble when the browser could just say "Hey, watch out. This site is trying to use a 512-bit certificate. Are you sure you want to do this?"

Re:512-bit self-signed certs (e.g. DD-WRT)

[Rich0]

I still don't like the fact that you can get rid of the error by just dropping SSL entirely. Is that really an improvement?

Don't get me wrong - I picked a Buffalo router so that I could flash OpenWRT on it and avoid all this nonsense (the DD-WRT on it was decent but they stopped issuing updates and it is vulnerable to heartbleed, which potentially could impact WPA2 handshakes so it could be a real issue). I also thing we need to get past all this CA nonsense and move to DNSSEC for certificate distribution.

Re:512-bit self-signed certs (e.g. DD-WRT)

Your about:config "solution" was for something else entirely: your broken-ass router firmware doesn't even support TLS, just SSL 3.0, which is also broken.

The problem here is you, bucko. You need to switch to some other router firmware that's not complete shit, which I'm sad to say DD-WRT is.

Re:512-bit self-signed certs (e.g. DD-WRT)

[strikethree]

... or you should quit pretending that a 512-bit cert is going to stop anything besides a nosy neighbor ...

Erm, that is EXACTLY what the 512-bit cert is for: to stop the nosy neighbor.

But whatever...

firefox gets shittier every version

i swear google or microsoft are paying someone to fuck it up on purpose

Re:firefox gets shittier every version

[Aighearach]

I'm not normally the tinfoil type, but I've burned down this road so many times this seems like the most likely cause.

And there are so many security holes in the old versions, I can't go back. If it was safe I'd be using one from 5 years ago, when the quality was still fairly high.

Re:Recommendation for a good browser?

[Osgeld]

http://www.seamonkey-project.o...

Blatent memory leaks continue.

[AbRASiON]

I've even disabled 3/4 of my addons.

Rather than re-type my posts for internet karma, I'm just going to paste them at this point
http://news.slashdot.org/comme...
and here
http://news.slashdot.org/comme...

I gather, based on the fact I (and many) have whined about this for years now, I'd say they probably don't read slashdot.

Re:Blatent memory leaks continue.

And all these years you've just been whining on slashdot instead of showing actual reproducible evidence that would allow developers to find the cause of your problems and fix them.

If you don't like the product and don't want to do anything to help fix it, just ask for your money back. Oh, wait

Re: Blatent memory leaks continue.

Not OP here but that's exactly what I did. I was so tired if their poor code that put at risk my computer that I just uninstalled their shit.

Perhaps instead than wasting time and money in bloatware they could invest it in good coders and code review... But after all who cares, I certainly don't since they are not my problem anymore.

If I was in their pants I would take a look at the stats that show their browser in free fall pretty much anywhere on the globe and begin considering that maybe, just maybe, I should reconsider my priorities and stop throwing at critics the answer "if you don't like it then go elsewhere" because that's exactly what is happening and it is not good for them.

Re:Blatent memory leaks continue.

And it seems you've still not learnt that tabs aren't intended to be used as bookmarks.

The way you carry on about this, it almost sounds like you went looking for an extreme case that caused an issue, then tried to start an Occupy Slashdot campaign over it.

150 fucking tabs. Get over yourself.

Re:Blatent memory leaks continue.

[noldrin]

Strange, because all the people I know who switched away from Firefox did so because of the persistent memory leak issue which has only gotten worse version after version. How can the developers not find something that is so plainly observed by so many people?

Re:Blatent memory leaks continue.

[AbRASiON]

That's an extreme case and I certainly don't use tabs as bookmarks, I have thousands of those.
Regardless anonymous dipshit, the program USED to handle 150 tabs fine, 6 or 7 YEARS ago.

The stupid part is...

They already do:
Chatzilla.

This should've been rolled into that, with only a limited set of hooks in the core for stuff that it would need at the xul level (namely network access features, and audio/video encoding), and had a new section of configuration options added to the preferences menu to make it easy to disable completely, and ideally ask/warn when a script requests possession of it.

Re:The stupid part is...

[sound+vision]

Chatzilla seems to be abandonware, the last update was in 2008 or 2009.

Re:The stupid part is...

Incorrect, the latest version came out October this year.

Re:The stupid part is...

[chrish]

The most annoying part of Chatzilla being abandonware is that I can't find a better IRC client for Windows.

Pidgin is terrible, didn't like Trillium... seems like most other IRC clients haven't been updated in even longer than Chatzilla.

Re: Recommendation for a good browser?

Not the OP but what convinced me is that when you delete something out of your history Chrome still presents it on the startup screen and the url bar as if it was never deleted...so either each of those has some redundant history database that they aren't telling you about or deleting your browsing history is like deleting email in gmail, you can't see it anymore but google can...

Unwanted video on top of Australis mess? I'm out.

[xeno]

Make that STILL out.

When the naval-gazing derpfest at FF rolled out that hideous chrome-knockoff "Australis" interface revamp in v29, I used the debian equivalent of the middle finger: sudo apt-mark hold firefox
to stem the tide of f**ck-the-user UI design, common features hidden behind weird hamburger buttons, and unreadably huge defaults.
WOW. MUCH HUGE. SO WHITESPACE IS THE NEW CAPSLOCK.

That gave a me a little time to explore options. With a little work, I can make Seamonkey usable, but I do lament the loss of an easy choice that IU can recommend to less geeky friends. IE is a lost cause even on my work machines and msft doesn't remotely give a shit about user feedback. Chrome's entire skeletal structure is made from IE spyware toolbars working together as a virtualized/rootkit OS. And Firefox's UI team has gone full "Grinch paradigm" [To quote the original: "Here's our new, wonderful product. Isn't it wonderful? Don't you just love it? What do you mean it doesn't do something essential that you've been able to do for years and you don't like it? You ingrate! You're GOING to like our new product! We're not going to fix it just because you and 100,000 whiny little dweebs claim to need those missing functions!" ]

Screw this. I'm gonna donate a little more money to the upstarts, because Firefox is lost.

Please stop this nonesense

[Avalon's_Avatar]

I don't want to come across as a luddite but seriously stop with the bloat already. Firegerbil seems to have sacrificed efficiency to engage in an execrable arms race with Google. Please break this out into an add-on where it can die a lonely death and concentrate on improving the engine and other core optimisations.

Re:Please stop this nonesense

[AK+Marc]

Firefox was always about bloat. 5-10 years ago, I was a firm supporter of Opera. And when people talked about browsers here, someone would post a speed comparison where a minimal install of Firefox was compared with a full install of Opera, and Firefox was faster. Then, when I pointed out the mouse gestures, keyboard shortcuts, and ad-blocking in Opera that wasn't in that test, someone else would link to a list of Firefox add-ins. So the tests were always an "unusable" minmum install against everyone else, and the feature comparisions were of all the possible add-ons against everyone else. But I tried it. After 20-30 add-ons (necessary to match the features missing from the base install) if was unusable. And even with minimal add-ons, it never equaled my use of Opera (20-70 tabs open at most times). Doing that with Firefox killed my machine. As did IE, when IE finally supported tabs many years later. I still have Opera as my search browser. I like opening 20-30 tabs for a search. multiple reviews, multiple search parameters. Then close all but one when I find what I like. Maybe bookmark it, depending on what I was doing. It's the best way to find things that aren't popular to be the first result in every search engine (code the search engines so that "a [search]" searches Ask, "b [search]" searches Bing, and so on. It comes with some common ones pre-programmed, but you can change them to whatever you like. So heavier, in-depth searches were always much easier on Opera because of the ease of doing so many searches, and then comparing the results.

But my "main" browser is Chrome because we use lots of Google things at work.

Re:Recommendation for a good browser?

Chromium. It is Chrome, but missing all the Google spyware. Add on the extensions: Adblock Plus (most viruses come in through ads, also they're annoying), Disconnect (not ghostery - they help advertisers), HTTPS Everywhere (can't be too careful), ScriptSafe (NoScript in spirit on Chrome). Grab the 32-bit (the 64-bit seems unstable) version from woolyss, just keep in mind these are dev builds so expect bugs from time to time, and expect to have to go back to an older version sometimes so keep around your older installers: http://chromium.woolyss.com/

Re:Recommendation for a good browser?

[AK+Marc]

So you use Opera now?

Re: Recommendation for a good browser?

[sexconker]

Every single keystroke and mouse click is sent to Google. This includes while using the "private" modes.

Chrome

[brunes69]

... and that browser was Chrome when they implemented WebRTC back in 2012....

Re:Chrome

[vux984]

Wikipedia says Firefox has had it since 22... so its on 34 now... so what's that? 4 weeks already? What's new in 34? :p

Re:Chrome

What's new in 34?

From my tests 3-6% better on all javascript tests.

Prepackaged with Malware!

Yes, that's right, Yahoo! search is the best and fastest vector for getting infections STILL, even with AV solutions installed. Malware via ads, the WORSST ad network on the net for this crap.

I am done with you Mozilla. You are fucking idiots. I knew it when you put the fucking refresh button on the OPPOSITE end of the address bar from the rest of the navigation buttons, and now the world knows it. I hope you enjoy the you self-induced slide into uselessness.

I fucking hate you too Chrome but i will be switching to you until you do this same stupid shit.

Re:Prepackaged with Malware!

[wiredlogic]

It is just a default. You can still switch the search provider easier than in any other browser.

Re:Recommendation for a good browser?

[OhPlz]

No kidding. There's not much left after those, unless you want to warp back to the times of a simpler WWW.

Mozilla, can you say "add-on"?

[markdavis]

Here we go again.... WTF is "video chat" a core feature instead of an addon? It really doesn't even have anything to do with web browsing. And I can't imagine the code is small, either. Ug.

Re:Mozilla, can you say "add-on"?

This is a necessary core feature because the average user can't figure out how to use/install/upgrade addons. Because it is built in it will "just work" 99.5% of the time. This will make the webcam model industry big money because they can now start up a chat/stripshow with anyone that has Firefox installed. Live porn so simple even a PHB can do it.

Re:Mozilla, can you say "add-on"?

WebRTC is a standard, part of the web platform, so any decent web browser should support it natively, and they all will. Getting rid of addons, especially Flash, is exactly the point. If you have a problem with that, go complain to the W3C.

Firefox Hello is just a little added UI for handling calls. It's not even visible by default. I doubt it took many lines of code to implement.

Re:Mozilla, can you say "add-on"?

The code behind the button is:
CallVideoChat();

Near nothing in code. :D

Video chat without ZRTP?

If it doesn't have ZRTP encryption, then I won't use it.

Re:Video chat without ZRTP?

[MadMaverick9]

That's what you get for putting a phone into a web browser.

Use Linphone and get a proper VOIP phone (with ortp/zrtp).

Re:Video chat without ZRTP?

[NotInHere]

In fact, encryption is mandatory for webrtc: http://sporadicdispatches.blog...
However, dear AC, they prefer DTLS-SRTP instead.

And it only needs 20GB of RAM

[RogueWarrior65]

Feh...memory pig.

Re:And it only needs 20GB of RAM

[CanadianMacFan]

Oh, they've trimmed it down?

Re:Unwanted video on top of Australis mess? I'm ou

[Zynder]

Pray tell, what is a hamburger button?

new Firefox? Thanks

thanks for the post. I didn't know that version 34 is out. I'll download the Windows Version after I arrive home.

Why does every Firefox release get headlines here?

[QuietLagoon]

It certainly looks as if there's an unwarranted amount of arm waving, trying to counter the UI fiasco that is Firefox.

Re:Unwanted video on top of Australis mess? I'm ou

Pray tell, what is a hamburger button?

Real UI: User interface. File, Edit, View, History, Bookmarks, Tools, Help. See, it's discoverable, and I can tell you that the option you want is under Tools>Options>TellUXPeopleToGoFuckThemselves.

Hamburger Button: Nobody gets paid to do UI anymore. It's about UX. Mobile first. Because that's where I hope my next paid job is coming from, even though I'm currently just fucking up a desktop app in order to get some commits in muh Github repo that I use as a resume. Anyways. it looks like â (or at least it would, if Slashdot did Unicode) - three horizontal lines, vaguely suggestive of a bun, a burger, and another bun, or three vertical dots, or whatever the fucking UX fad is this week. And under it is a bunch of tiles with pictures instead of words, because nobody can be arsed to localize anything. You click on the, uh, hamburger menu, you then click - no, not the third picture from the left, they reorder themselves depending on what you used last week - you want the one that looks like a bird, but not the bird that represents the Twitter app. And then the one with the thing that might look like a shovel. It's actually supposed to be spatula to be suggestive of flipping. And then you uninstall the fucking app because that's still the only effective way of flipping the bird to the UX designer.

V34.0.5?

[antdude]

Hello.

I just upgraded Firefox v33.1.1 to v34.0 on my office's Mac mini with its updated Mac OS X 10.9.5. However, I am confused if this is v34.0.5 or not in its About screen. About screen says v34.0. Both https://www.mozilla.org/en-US/... and https://download.mozilla.org/?... say v34.0.5. How do I know if my installed one is b5?

Thank you in advance.

Re:V34.0.5?

[ArcadeMan]

Don't worry about it, next week you'll be running Firefox 35 anyway.

Re:V34.0.5?

[antdude]

v35.0.5 or v35.0? :P

Re:V34.0.5?

[CanadianMacFan]

And there will be something for virtual reality tossed in.

Re:V34.0.5?

[CritterNYC]

> Don't worry about it, next week you'll be running Firefox 35 anyway. Which is funny and all, but you realize that Chrome is on version 39 despite the fact that Firefox is 4.5 years older than Chrome, right?

Re:V34.0.5?

[s3anister]

Don't worry, you already can. https://developer.mozilla.org/...

Re:V34.0.5?

[ArcadeMan]

The Firefox team copied Google for the versioning of their browser. The next logical step will be to copy Microsoft and skip a number. Doing both at once (insane version increases and skipping a number altogether) means the next version of Firefox will be 46. Problem solved!

Re:V34.0.5?

Since the release of Firefox 5, firefox has incremented the version number every 42 days on average. Chrome since release has incremented every 57 days. So Firefox is in fact currently worse then Chrome at version number creep currently (i picked 5 as sometime around when firefox decided to copy chrome, i don't remember when exactly they changes release cycle).

Firefox:
5 release - 7/21/2011 | 34 Release - 12/2/2014 | 1230 days/29 version numbers = 42.4137931

Chrome:
1 release - 12/11/2008 | 39 release - 11/18/2014 | 2168 days/38 versions = 57.05263158

Re:V34.0.5?

[CritterNYC]

Yes and no. Chrome, in general, has more between version patches than Firefox. Version 33 was a notable exception due to the landing of off-screen GPU renderring though. So, even though Mozilla's release cycle is 15 days faster, Chrome is still pushing out more new browser versions. Source: I have to package every version of each for portable use, so I know about every new full version and patch version whereas most local users don't notice due to automatic updating.

Re:Unwanted video on top of Australis mess? I'm ou

[norite]

I think he's referring to that ice cream sandwich (That's what I call it) icon that is the settings...the three horizontal lines thing that the UX retards have replaced the wrench or gear icon with.

Re:Unwanted video on top of Australis mess? I'm ou

[Pope+Hagbard]

It's that button with three horizontal lines.

Re: Recommendation for a good browser?

The last version I want is 3.6. Now get off my lawn!

Re: Recommendation for a good browser?

[MancunianMaskMan]

delete something out of your history

consider using porn^h^h^h^h incognito mode rather than editing history

Re:Recommendation for a good browser?

[AK+Marc]

Lynx?

Re:Unwanted video on top of Australis mess? I'm ou

[ShaunC]

Well that explains... Something. To me, that icon with three horizontal lines looks like it's supposed to be for paragraph layout or something, so I've never touched it. I had zero clue that's where the settings had gone to, I thought it was some kind of inline HTML formatter.

RIP firefox

RIP firefox

RIP IN PEACE

RIP in pieces firefox

Re:Unwanted video on top of Australis mess? I'm ou

[Zynder]

Oh. I call that thing the right click button cause it causes the context menu to pop up like a mouse does. But I'm old and evidently just don't know what good UI design is.

Right after Yahoo spread Cryptowall

[slashmydots]

I'm sending Mozilla a message and using IE 11 for a month. I hope they have a heart attack when they see the stats. Anyone with me?

Re:Right after Yahoo spread Cryptowall

IE? I will sooner use Chrome.

Re:Recommendation for a good browser?

xombrero? I don't know anymore really.

Video Chat? Give me a break

[Khyber]

On my absolute shit Athlon X2 4850e, I can run Camfrog and fill BOTH 1080p screens with cameras, and have them all run like glass (assuming the users have proper lighting for framerate or adjust their cams to a set framerate.)

I tried WebRTC, and couldn't get more than ten without slowing my machine to a crawl.

WebRTC is absolute SHIT compared to a decade+ old video chat technology. What a waste of code.

I've also noticed that on IE, trying to use the Bing search engine gets me redirected to Charter taking my search result and passing it to Yahoo. Something smells fairly illegal about that, and with Yahoo also being attached to FireFox, I thik it's time I totally uninstalled FireFox and go with Chrome, not like the UI is really any different, now, and as a plus, I don't have to download and install Flash.

Plus I am seeing more than 50% of my web site-s hits coming from Chrome, so I know which way this tide is turning.

Re:Video Chat? Give me a break

[ruir]

Try configuring google DNS instead of the DNS Charter servers.That is, if they are not transparent proxying requests to other DNS servers...if they are, I recommend you change providers. I can swear they are messing around DNS from what you are telling us, it can be a couple of other things.

Re:Video Chat? Give me a break

[Khyber]

They're hijacking traffic directly. I'll have javascript disabled, flash disabled, and suddenly visiting a webpage I get a pop-over thing from the top telling me my Charter bill is due (which it is when it happens) but it's still bypassing my security features designed to prevent things like that from happening.

Re:Video Chat? Give me a break

[ruir]

What you are describing can be done messing aound with DNS and/or transparent proxying HTTP requests, and/or HTTP traffic injection . You may bypass it with google DNS, and/or a VPN, with Tor, or changing providers.

Re:Video Chat? Give me a break

[ruir]

I disable linked.in messages, which are fairly annoying as they modify their usual layout, by blocking the HTML tags with adBlock btw. It is another method of making those messages go away.

Re:Video Chat? Give me a break

[jimbo]

Perhaps give DNSCrypt a try.

Re:Unwanted video on top of Australis mess? I'm ou

If you and all the other "whiners" had donated enough to Mozilla before they got onto Google's teat, perhaps you wouldn't be crying about it now. But do go ahead and fund another browser, please. At least you've learned your lesson.

Chromecast on Android but...

Why is there no chromecast support on the desktop release?

Re:Unwanted video on top of Australis mess? I'm ou

[Indigo]

I think it's actually called the waffle button (because it looks like a stack of waffles seen edge-on).

Comodo's certificate extortion

[tepples]

Comodo IceDragon [...] Comodo Secure Chromium and Dragon

One feature of Comodo Dragon creates a perverse incentive not to encrypt personal web sites. When Comodo Dragon sees a domain-validated TLS certificate, it displays this interstitial designed to scare users away from using any HTTPS site not operated by "a legitimate business". This makes users feel safer using clear HTTP than using HTTPS on a site operated by an individual, which runs against the effort of HTTPS Everywhere to bring the benefits of encryption even to personal sites. Does Comodo IceDragon do the same?

Re:Comodo's certificate extortion

[Richard_at_work]

You realise all browsers do that, and for a good reason, right? Self-signed SSL certs actually break part of the point of how SSL certs are used on the web...

Re:Comodo's certificate extortion

[TheRaven64]

No. A self-signed SSL certificate is no worse than no SSL. The correct thing for browsers to do when encountering a self-signed SSL certificate is accept it silently, but not display any of the UI elements indicating that the site is secure (and to have a prominent red {insecure} label for every site that doesn't have the padlock). A self-signed cert protects your connection from passive adversaries and, as we have learned recently, that's a very important threat model to care about. Making it appear to users that a self-signed SSL cert is less secure than an unencrypted connection is not helpful.

Re:Comodo's certificate extortion

[Raumkraut]

You realise all browsers do that, and for a good reason, right?

Nope. Chrome does it much more elegantly IMO. They show that the site uses SSL, but that it is not secure (there's a red strike through the "https" IIRC).

Self-signed SSL certs actually break part of the point of how SSL certs are used on the web...

You know what breaks SSL even worse? Not using it at all. Yet non-https sites are often indicated to be *more* trustworthy (ie. there's no warning) than a site that uses a self-signed cert.
Self-signed certs don't prevent impersonation of the site, true. But they do prevent passive eavesdropping.
Don't let the perfect be the enemy of the good.

Re:Comodo's certificate extortion

[Richard_at_work]

No, I disagree with you completely - a self signed cert does *not* protect your connection from anything, unless the client already knows what to look for to ensure the cert they have is the cert you intended them to use. And that's where third party signed certs come in.

A self-signed cert that is silently accept it is much much worse than no SSL at all, because it allows the user to make assumptions about their use of the website which are absolutely not true. Assumptions which can be very damaging. I wouldn't ever send payment details over HTTP, as most people wouldn't at this point in time thanks to the decade and a half of education thats been going on - but I also wouldn't send payment details over a self-signed SSL connection. Ever.

Anyone suggesting self-signed certs should be silently accepted are part of the problem, not the solution.

Re:Comodo's certificate extortion

[Richard_at_work]

No, they don't prevent passive eavesdropping, because they don't prevent impersonation - if you cannot validate the heritage of the SSL certificate presented, then anyone could be presenting their own.

Highlighting self-signed SSL certs as the various browsers do is done so the user does not make the same assumptions about the site as they would a third-party signed SSL cert - because you simply cannot make the same assumptions, and its dangerous to do so.

At least with HTTP sites, people know and accept they are not secure - with a self-signed cert they are just as exposed due to inability to assume the cert is authentic and what the site intended to be used, but you are suggesting they can safely assume they are OK to use the site! Absurd!

Re:Comodo's certificate extortion

Thanks for educating us, IE user with Apple ad in his sig.

Re:Comodo's certificate extortion

[Ed+Avis]

Fine, self-signed certs should not be "silently accepted" - but then totally unencrypted, plain-text-over-the-wire, any-idiot-with-a-network-card-can-sniff-it traffic shouldn't be silently accepted either! Nobody objects to a reasonable browser warning on self-signed certificates. What many gripe about is the fact that these same browsers then show unencrypted sites with no question at all. Often, if Firefox produces an SSL certificate warning I just change the URI from https: to http: to get the damn thing out of my way.

Re:Comodo's certificate extortion

[TheRaven64]

a self signed cert does *not* protect your connection from anything, unless the client already knows what to look for to ensure the cert they have is the cert you intended them to use

Yes it does, it protects you against passive adversaries. Compromising an SSL connection with a self-signed certificate requires an active adversary (i.e. one who will modify traffic, not just sniff it). This is still possible with a signed cert if you're sufficiently large as the trust model for SSL (in the absence of certificate transparency, which isn't yet widely deployed) means that if any registrar is compromised (e.g. the one owned by the Turkish intelligence agency that all major browsers trust) then they can sign certificates for any domain.

A self-signed cert that is silently accept it is much much worse than no SSL at all, because it allows the user to make assumptions about their use of the website which are absolutely not true

No, displaying a user interface element indicating the site is secure when it only has a self-signed certificate is worse than no SSL. Rendering self-signed SSL certs in exactly the same way as unencrypted connections (as I suggested) is better, because it allows people to roll out SSL cheaply and makes the world no worse, just raises the costs for interception.

Re: Comodo's certificate extortion

Piss poor rentier CAs break part of the point of using TLS certs on the web. Self-signed certificates and private CAs are a way to mitigate that breakage.

Re:Comodo's certificate extortion

[cbhacking]

Sigh... I can't tell if you're arguing this because you don't understand the English language, of if you're just trolling.

If somebody has to "be presenting their own" certificate, then they are NOT PASSIVE!! A passive network attacker is, for example, somebody sitting at a coffee shop with the WiFi card in promiscuous mode, watching all the traffic that gets sent over that (open) network. In that position, the attacker cannot do a damn thing about a self-signed cert. Now, if they are able to use ARP spoofing or DNS hijacking or can configure the router's upstream host or something like that, then they can intercept traffic and present their own certificate, sure. That requires an *active* attack, though.

The reason that passive attacks are so concerning right now is that it's pretty trivial for ISPs and governments to record all network traffic that they want to. It just costs money for storage and storage bandwidth. However, they aren't actively intercepting that traffic, just passively recording it for later data mining. TLS, even using anonymous Diffie-Hellman or a self-signed certificate, is sufficient to completely defeat that kind of monitoring.

You're basically arguing that since an armored car can't tae a hit from the cannon of a main battle tank, there's no point in armoring them at all and it would be better for them to go unarmored so as not to lure people into a false sense of security. Turns out that's bullshit: the typical threat to people moving valuables is from small arms (which an armored car can shrug off just fine), and the typical threat to browser privacy is from pervasive passive monitoring, which self-signed certs defeat. Not that I would ever argue that it's better to have a self-signed cert than a CA-signed one, but it's not as *much* worse as you seem to think.

Besides, there's things you can do to make a self-signed cert even more secure. For example, you (the user) can add *just that cert* to your trust store. Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning).

Re:Comodo's certificate extortion

No, they don't prevent passive eavesdropping, because they don't prevent impersonation - if you cannot validate the heritage of the SSL certificate presented, then anyone could be presenting their own.

If you're impersonating a destination site, you're no longer a passive attacker. For an attack to be passive, the communication between the origin and destination must be unmolested. Self signed certs do protect against passive attacks, as to a passive monitor the communication is encrypted. The moment you screw with that, though, you've engaged in an active attack.
 
Saying that, browsers act the way they do (self-signed certs BAD!) because the end user doesn't know what DNS cache poisoning is, doesn't know what a man-in-the-middle attack is, and can't tell between "intended site and encrypted but no 3rd party verification of authenticity" and "bad site pretending to be the site you meant to visit, but still encrypted". So the safe minimum is "reject self-signed certs".

Re:Comodo's certificate extortion

[hairyfeet]

Uhhhh...you think its BETTER to allow users to not know its a self signed cert from Joe Blow? Really? So you are saying that when they go to Google its 100% okay with you that they get a cert that is Gooogle signed by Bob in Russia?

There IS A REASON why most throw up warning flags about certs not signed by the big boys and it ain't a conspiracy Chuck, its so that the user isn't lulled into a false sense of security just because his "Bank Of Amerrica" site has a lock on it. You DO see the little checkbox, that says "I don't care" yes? If you are going to sites ran by Bob from Russia you are welcome to use the checkbox, but don't act like its a bad thing to warn users about self signed crap certs.

No mention of real Firefox alternatives

I may be "old school" but I still really like Konqueror or Rekonq. Simple, no bloat. What about Midori?

Re:Unwanted video on top of Australis mess? I'm ou

[xeno]

I did. They didn't give a shit. And lest you think me a whiner, I also contributed work and donated a bunch of money to the Mint project (among many others), and whaddya know, they listen to both technical and nontechnical contributors... and produce a polished product with great flexibility across a wider audience. So don't tell me it can't be done; it's just that the FF team decided their first principles were "oo shiny" and "I know best" instead of "do the needful things" and "listen."

Do not want.

Firefox was just becoming s decent browser again and I was getting to trust its private browsing feature more than google and ie, but if my private browser is calling home to check to see if anyone wants to video chat, it makes you wonder how private or secure it is.

Phoenix BIOS

[tepples]

Phoenix is a BIOS company (or at least was during the Firewhatever name controversy). Why would a company that makes a browser designed to run in BIOS go with Gecko instead of something lighter?

Re: Recommendation for a good browser?

[EzInKy]

What convinces you that Chrome is spyware?

Google.

Re:Unwanted video on top of Australis mess? I'm ou

[xeno]

Mom?

Is that you?

.

It seems to be related to the new Y! search.

[antdude]

It looks like it is related to the search engine for upgraders and new installations as shown in http://www.dslreports.com/foru... thread. :/

Is it too much to ask

[rossdee]

Is it too much to ask that when updating an existing installation, it leaves all the current settings alone ?

OK now I set the default search back to Google, what else do I have to do.

BTW I don't have (or want) a webcam connected to my PC

Re:Is it too much to ask

[error_logic]

Did you download the installer and run it or something? My search provider stayed the same, but I updated through the About menu.

Re:Is it too much to ask

It does use your current settings.

If you ever changed your search setting, it keeps it. If you never changed your search setting, it asks you what you want the default to be. If you never had Firefox installed before, that's when Yahoo is set as the default search within Firefox.

Re: Recommendation for a good browser?

[Luckyo]

That's 3.6.28

I wish Safari would bring back RSS

[petsounds]

I've been impressed by Safari 8 with Yosemite. I'm so eager to drop the bullshit that Firefox has become, but without proper RSS support I just can't do it. Yes, they did bring back a kind of RSS, but it just dumps all the subscriptions into an unsorted window (and no I don't want a separate reader app).

The Majority Of People Can Use It Now

[CritterNYC]

It'll start with users on Windows that are using better browsers (Firefox and Chrome as well as variants) as well as some of the 8% of the world that runs Mac who've grown beyond the often-outdated Safari (since it's OS tied and you have to upgrade your whole OS to update it). And it'll start on the majority of smartphone users that use Android. So that means most users can either use this now or upgrade to a better browser that can use this now. It'll come to the #2 mobile OS later once Apple adds it in to Safari but then it'll work for every browser on iOS since every browser on iOS is actually just Safari with a pretty UI on top.

Re:Unwanted video on top of Australis mess? I'm ou

[sound+vision]

The gear icon is still there, and in fact you still need to use it for some settings. Some are under the gear, some are under the "hamburger button", some are in the hidden-by-default menu bar at the top.

Re:Unwanted video on top of Australis mess? I'm ou

the Fx team decided

FIFY. I see that you're so involved that you used the wrong abbreviation.

Re:Recommendation for a good browser?

"and there's no Google spyware" ... so, you're saying you want internet ads to be eternally horrible? That Google, as their profit motive, should not be invested in showing you the ads you are most likely interested in?

I mean, if that's the case, you can always install do not track and google analytics optout on Chrome... then you can be sure that Google isn't tracking you.

That is, unless you're just paranoid.

Re:Recommendation for a good browser?

Chromium. It is Chrome, but missing all the Google spyware.

You mean... the built in Flash player? Google doesn't have spyware unless you opt in, and it anonymizes your data before you send it by your computer randomly lying to them.

Google has enough data that the lies don't affect the actual statistics, but don't allow anyone to trust any of the individualized data...

Also, Google has tons of really smart academics working on "how can we extract individuals out of randomized aggregate data?" then following up with "how can we prevent this."

One click search

I don't think they thought this thing through. If i type few letters, i only get the suggestions for the default engine and the others are searched with the few letters i typed.

Seriously, this should've been noticed while they tested this. I don't understand what was so wrong about the way it was. What exactly does this new way bring to the table? It was a one click search before, all i had to do was to select the search engine and then type the search, now it's just the other way around and it does not work correctly, because of that.

Re:One click search

Replying to myself, here's how to disable the one click search:
http://techdows.com/2014/11/firefox-34-disable-or-remove-one-click-searches-ui-in-the-search-bar.html
(at the bottom of the page)

Are You Shitting Me?

Built-in chat in a browser that dumped MNG support because 60k was too much extra size for the distribution? What a fucking joke. Also, Mozilla Team, you want to know why people aren't updating Firefox even with critical security issues? Because you cram all the other shit changes down our throats with the security update. We don't want that other crap so badly we're willing to live with the security risk. Long live blackholing Mozilla update servers at the network's edge router.

Re:Recommendation for a good browser?

So you use Opera now?

In my case yes. Although the 12.xx version not the new googleish copy that eviscerated all the good features Opera had.
So as long as 12.xx continues to receive security updates I'll continue to use it. When it dies, I'll migrate very sadly to Seamonkey. Which is a decent browser but leagues behind the perfection of Opera 12.xx.

Fuck your bloat, Firefox!

[HnT]

Fuck you, Firefox! Sincerely, everyone.

Full circle ... almost

Remember when Firefox was that lean browser that was a viable alternative to the bloated Mozzilla ?
What's next ?

Re:Full circle ... almost

[twokay]

Hehe, sadly it looks like it's the way things are going. I still prefer Firefox to Chrome simply because i don't want to feed Google any more data that i have to, and having 3 major browsers is important for an open web. Also don't like Google's tactics of deliberately making there sites run slower on anything other than Chrome.

However it seems to me that Firefox has a problem, HTML5 and a lot of the new protocols around that mean that they have to keep up by adding support -- "bloat". But it is as yet unclear how useful these will be. In the Phoenix and early Firefox days when FF was stomping all over IE it was just HTML+Javascript and 3rd party plugins, and they optimized that perfectly.

Now FF has to deal with what new features they need to add to keep up. When the feature creep slows and we see which protocols have won the next generation web maybe a Phoenix-like browser will emerge from the FF code.

Re: Recommendation for a good browser?

I've always found it interesting that for a split second on Google Drive, on a brand new PC that never connected to the internet, you will see your deleted folders and deleted files pop up before dissapearing again. They might want to fix that in case anybody gets the mistaken impression that their files aren't actually gone

Konqueror

[cbhacking]

Konqueror is still pretty decent. These days it generally uses WebKit (which was built from Konqueror's KHTML engine originally). I like its interface and generally high utility.

Aside from being in the package repose for pretty much all desktop Linux and BSD variants, it's also available for Windows. Haven't checked for Mac, but it's probably available there too.

Re: Recommendation for a good browser?

Proof?

Re:Recommendation for a good browser?

Try Fifth.

It breaks Tree Style Tab

[HyperQuantum]

Unfortunately, this upgrade broke one of my favorite plugins: Tree Style Tab. A previous upgrade caused the whole tree to be expanded when restoring the tabs at Firefox startup, and now since FF 34 new tabs are no longer opened as a child of the current tab :-(

Re: Recommendation for a good browser?

Schmidt? Is that you?

Re: Recommendation for a good browser?

I once installed zonealarm, the free firewall software, on a machine that wasn't mine. Many firewall warnings started popping up from chrome... I don't remember the details, but chrome was sending a lot of data back home and it was very hard to stop it from doing that. Translation: they spy hard and are very sneaky and difficult to disable the spying.

Not on by default

[eneville]

Mozilla are throttling the chat feature.

To enable, go to about:config, and set loop.throttled to false. Otherwise there is a one in ten chance of having the feature. Currently I think the servers are struggling. It's a new feature and as such needs to bed in whilst capacity is judged.

HTH.

Does anyone know...

What the last GOOD version of firefox was?

I've put off updating for awhile. And now all the latest stuff i see about it. I don't want to use the newest...

zza

What about real improvements instead?

What about supporting new and useful technologies instead than wasting your time (and google's money http://thenextweb.com/insider/2013/11/21/mozillas-reliance-google-increasing-90-2012-revenue-came-one-source/) in useless bloatware?

Things like supporting the new FIDO alliance security keys (https://fidoalliance.org) to make the web safer for everyone, or stop boycotting good technologies such as Dart which makes development faster, easier and clearer than Javas*it?

When will we have these things? In 10 years? Quite frankly I just dropped Firefox months ago in favor of Chrome and I see it happening everywhere, everyone i know is doing it, it is just a matter of time before they become irrelevant. Unless I see real improvements I won't go back.

Didn't change my default search engine...

[Bill_the_Engineer]

Just wanted to report my own anecdotal observation that after updating Firefox to 34, my default search engine remained set as "Google" and did not require me to change the setting.

I assume only users installing Firefox for the first time will get the "Yahoo" search setting.

Re:Didn't change my default search engine...

[neminem]

You assume incorrectly. I was surprised over the weekend to find my searches being redirected to yahoo, and I'd been using FF for many, many years. Most likely at some point you explicitly selected Google, thus locking it in, whereas I just kept it as the default and never touched setting? I dunno.

Re: Recommendation for a good browser?

[Mister+Transistor]

You mean your browser was trying to access the internet?? Oh, the horror!

Re:Recommendation for a good browser?

Your comment needs to be at +6. My work computer still runs Opera 12. If Opera ever open sources 12, that will be a very happy day!

Opera 12 is still the best.

Self-signed != domain-validated

[tepples]

There are five tiers:

1. Clear HTTP
   This works with no interstitial in all browsers.
2. HTTPS with a self-signed certificate
   This shows the "unknown issuer" interstitial in most major browsers and the "struck-out https" in Chrome.
3. HTTPS with a certificate from a trusted CA, naming a domain
   This shows "This website does not supply ownership information" and "Organization: <Not part of certificate>" in Firefox's Page Info > Security and shows the "legitimate business" interstitial in Comodo Dragon.
4. HTTPS with a certificate from a trusted CA, naming an organization as the owner
   This shows the business's trading name in in Firefox's Page Info > Security and skips the interstitial in Comodo Dragon.
5. HTTPS with an extended validation certificate from a trusted extended validation CA
   This shows the business's trading name and address and triggers the green address bar.

You appear to have confused tier 2 (self-signed) with tier 3 (CA-signed, domain-validated). A certificate that triggers the "legitimate business" warning is not a self-signed certificate. It is a certificate issued by a certificate authority trusted by the browser. For example, Starfield is a CA known to several browsers. A certificate for "slashdot.org" with no organization issued by Starfield would trigger "legitimate business" interstitial, but a certificate for "slashdot.org" with organization "Dice Holdings" issued by the same CA would skip it. Self-signed certificates are a completely separate issue.

Does it still support Sync 1.1?

[allo]

Custom Servers for 1.5 still not available and mozilla announced to discontinue sync 1.1 soon. So does this release still support it?

KCM vulnerable to MITM from day one

[tepples]

Thank you for clarifying the difference between a passive and active attacker for grandparent. Now to address one issue:

Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning [ietf.org]).

This behavior is called "trust on first use", "pinning", "key continuity management", and "what SSH does". But if your first connection to a given host is through the system of an an active (man in the middle) attacker, such as when you first register on a site or you first use a new device, you've given up your info to the attacker.

Re:KCM vulnerable to MITM from day one

[cbhacking]

Well, you can pre-pin a cert (Google does this with their own properties, for example, and as of Firefox 32, Firefox does it for Mozilla stuff and I think some Google stuff). You can also always manually check a certificate's fingerprint before you send any data over it. That leaves the question of what you check it against, of course, but that's the whole key distribution problem; at some level you have to have a trusted source of key identity.

I really do wish there was more support for TOFU (Trust On First Use) in browsers today, though. For example, I *can* explicitly trust a self-signed certificate for example.com. However, if I later get a different cert for example.com, my browser will simply evaluate it the way it would evaluate any cert (for example, if it's signed by a Chinese government-controlled CA, the browser will trust it unless I've removed trust for that CA). None of the major browsers will stop and say "Hey, that is *NOT* the cert I expect for this site!" the way SSH (or Remote Desktop, for that matter, which also uses TOFU) will. This greatly irks me. Certificates don't change that often, and most of the time it's just an update to the expiration date or adding a new subdomain or something else innocuous like that. Even a change to the public key isn't that big a concern, especially if the old key is revoked; people rotate keys sometimes as a matter of good practice. But a change to the CA, or a change to a pinned leaf node (where I basically said "this shouldn't change"), ought to raise warning flags.

Domain-validated != self-signed

[tepples]

Uhhhh...you think its BETTER to allow users to not know its a self signed cert from Joe Blow?

Where did I say "self-signed"? Like Richard_at_work, you are confusing self-signed certificates with CA-signed, domain-validated certificates. (I explained the difference in this reply.) Chrome and Firefox already block the former; Dragon alone blocks the latter.

its so that the user isn't lulled into a false sense of security just because his "Bank Of Amerrica" site has a lock on it.

There are two ways this can proceed:

• Registering "bankofamerrica.com" and using a self-signed certificate.
• Registering "bankofamerrica.com", putting up a makeshift site branded "BFR Banko Famer Rica" on that domain with a few legit-looking posts about Costa Rica or something, using the BFR site to prove domain control when buying an entry-level certificate for "bankofamerrica.com" from a widely trusted CA, and finally switching the site to a BoA-impersonation site.

Which of these attacks are you envisioning? Most browsers already warn about the first. Comodo Dragon also warns about the second but in the process warns about every legit personal blog, forum, or wiki that uses TLS.

Re:Unwanted video on top of Australis mess? I'm ou

[nmb3000]

WHITESPACE IS THE NEW CAPSLOCK

That's just beautiful. I might have to steal that for a new .sig at some point :)

Yahoo

[brunnegd]

Yahoo has a search engine? Only Ya-hoos use Yah-oo.

Theme music

[rcharbon]

https://www.youtube.com/watch?...

Priorities

[JBv]

So they leave out features everyone considers critical for a good browsing experiencie such as ad blocking, click to play plugins and videos. These feartures are so dear that there are plenty of 3rd parties providing them. Instead, they bundle a video chat app that i did not even consider having in the browser.

Has mozila resigned to becoming a gmail front end? The interface changes, the chat and the neglect of thunderbird seems to point in that direction.

Re:Recommendation for a good browser?

[MrL0G1C]

Ghostery help advertisers, in what way? Genuinely curious as I use it.

Re:Recommendation for a good browser?

[brainnolo]

Yandex.Browser is what I use. It is Chromium based, but has some features from Opera. If you go to the Extensions tab you already find a good Adblocker which you just need to activate and you can configure it to block plugins (like Flash). You can then activate Flash selectively (either on a one-off basis or permanently for a domain).

Re:Recommendation for a good browser?

[plover]

Actually, I've never gotten the whole "Chrome is the greatest browser ever" thing. I think it's probably a "more of what I'm used to", but the Firefox plug-in ecosystem has always appealed to me, as it does everything I want, the way I want.

And my "Internet ads" are all equally un-horrible - adblock sees to that.

My privacy boils down to two simple choices: I can guess which providers and trackers might honestly respect my opt-out wishes and not track every step I take (and I also have to guess what that means regarding their anonymised statistics gathering); or I can simply never send any of them any of my data, and know for sure.

Re:Recommendation for a good browser?

Otter Browser (http://otter-browser.org/) is a pretty good re-implementation of classic Opera if you want that. It also uses WebKit (via QtWebKit), although to me that's a minus, because having a variety of rendering engines means that the IE6 situation can never happen again.