Firefox 34 Arrives With Video Chat, Yahoo Search As Default

An anonymous reader writes: Mozilla today launched Firefox 34 for Windows, Mac, Linux, and Android. Major additions to the browser include a built-in video chat feature, a revamped search bar, and tab mirroring from Android to Chromecast. This release also makes Yahoo Search the default in North America, in place of Google. Full changelogs: desktop and Android."

Re:Yahoo Search?

[rudy_wayne]

I was really hoping that when Mozilla's contract with Google ran out the whole bloated business would collapse and they would go back to just making a browser that people actually want to use. But a new money truck just arrived in town and they can continue to add more and more useless 'features' while destroying all the things that made Firefox popular in the first place.

Re:Recommendation for a good browser?

[plover]

The last version I want is V28. After that, their password sync system was changed in ways I no longer trust. NoScript, AdBlockPlus, Ghostery help keep me safe, and browsing fast; and there's no Google spyware. So it's still the best option.

Re: Recommendation for a good browser?

Not the OP but what convinced me is that when you delete something out of your history Chrome still presents it on the startup screen and the url bar as if it was never deleted...so either each of those has some redundant history database that they aren't telling you about or deleting your browsing history is like deleting email in gmail, you can't see it anymore but google can...

Re:Video chat??

[AuMatar]

That's never what Firefox was about. It was a big rewrite because a bunch of Mozilla devs decided they wanted everything written their way and if it wasn't they'd rather restart from scratch. Even initial versions were actually more heavyweight and leaked more memory than mozilla suite. It should never have existed in the first place, they should have just moved the browser in Suite to a standalone download for those who wanted just that functionality.

Amusingly enough the old Mozilla Suite is still chugging along as SeaMonkey. Its still more performant than firefox and doesn't suffer from the feature creep or the "what features of chrome UI do we want to rip off this build" issues that FF does. Its a better product by a longshot.

Re: Recommendation for a good browser?

[sexconker]

Every single keystroke and mouse click is sent to Google. This includes while using the "private" modes.

Re:512-bit self-signed certs (e.g. DD-WRT)

[sexconker]

Not only that, but they fucking maintain their own DB of certs instead of relying on the OS.
So I can install and trust a cert on my machine (or everyone's machine by policy) but Firefox won't fucking play by the rules.
You have to find and use an obscure tool just to manage certs for Firefox. No thanks, assholes.

Is it too much to ask

[rossdee]

Is it too much to ask that when updating an existing installation, it leaves all the current settings alone ?

OK now I set the default search back to Google, what else do I have to do.

BTW I don't have (or want) a webcam connected to my PC

Re:Comodo's certificate extortion

[TheRaven64]

a self signed cert does *not* protect your connection from anything, unless the client already knows what to look for to ensure the cert they have is the cert you intended them to use

Yes it does, it protects you against passive adversaries. Compromising an SSL connection with a self-signed certificate requires an active adversary (i.e. one who will modify traffic, not just sniff it). This is still possible with a signed cert if you're sufficiently large as the trust model for SSL (in the absence of certificate transparency, which isn't yet widely deployed) means that if any registrar is compromised (e.g. the one owned by the Turkish intelligence agency that all major browsers trust) then they can sign certificates for any domain.

A self-signed cert that is silently accept it is much much worse than no SSL at all, because it allows the user to make assumptions about their use of the website which are absolutely not true

No, displaying a user interface element indicating the site is secure when it only has a self-signed certificate is worse than no SSL. Rendering self-signed SSL certs in exactly the same way as unencrypted connections (as I suggested) is better, because it allows people to roll out SSL cheaply and makes the world no worse, just raises the costs for interception.

Re:Comodo's certificate extortion

[cbhacking]

Sigh... I can't tell if you're arguing this because you don't understand the English language, of if you're just trolling.

If somebody has to "be presenting their own" certificate, then they are NOT PASSIVE!! A passive network attacker is, for example, somebody sitting at a coffee shop with the WiFi card in promiscuous mode, watching all the traffic that gets sent over that (open) network. In that position, the attacker cannot do a damn thing about a self-signed cert. Now, if they are able to use ARP spoofing or DNS hijacking or can configure the router's upstream host or something like that, then they can intercept traffic and present their own certificate, sure. That requires an *active* attack, though.

The reason that passive attacks are so concerning right now is that it's pretty trivial for ISPs and governments to record all network traffic that they want to. It just costs money for storage and storage bandwidth. However, they aren't actively intercepting that traffic, just passively recording it for later data mining. TLS, even using anonymous Diffie-Hellman or a self-signed certificate, is sufficient to completely defeat that kind of monitoring.

You're basically arguing that since an armored car can't tae a hit from the cannon of a main battle tank, there's no point in armoring them at all and it would be better for them to go unarmored so as not to lure people into a false sense of security. Turns out that's bullshit: the typical threat to people moving valuables is from small arms (which an armored car can shrug off just fine), and the typical threat to browser privacy is from pervasive passive monitoring, which self-signed certs defeat. Not that I would ever argue that it's better to have a self-signed cert than a CA-signed one, but it's not as *much* worse as you seem to think.

Besides, there's things you can do to make a self-signed cert even more secure. For example, you (the user) can add *just that cert* to your trust store. Now, if an attacker tries to substitute their *own* self-signed cert, your browser should object, or at least won't show the site as truly secured. For applications (including a few browsers) that support certificate pinning, this can also be used with self-signed certs in a trust-on-first-use basis (take a look at, for example, HTTP Public Key Pinning).